# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 19.06.2019 16:00:01.785 Process: id = "1" image_name = "c_932.nls.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe" page_root = "0x4efbb000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x9c4 [0029.867] CryptAcquireContextA (in: phProv=0x18ff80, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18ff80*=0x5947c8) returned 1 [0030.041] CryptImportKey (in: hProv=0x5947c8, pbData=0x401037, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x0, phKey=0x18ff7c | out: phKey=0x18ff7c*=0x5948e0) returned 1 [0030.043] CryptDecrypt (in: hKey=0x5948e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403000, pdwDataLen=0x18ff84 | out: pbData=0x403000, pdwDataLen=0x18ff84) returned 1 [0030.045] CryptDestroyKey (hKey=0x5948e0) returned 1 [0030.045] CryptReleaseContext (hProv=0x5947c8, dwFlags=0x0) returned 1 [0030.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401d41, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x80 [0030.046] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x595038, nSize=0x8000 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe")) returned 0x33 [0030.046] lstrcmpiA (lpString1="C:\\windows\\searchfiles.exe", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe") returned 1 [0030.049] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x84) returned 0x0 [0030.049] lstrlenA (lpString="\"c:\\Decoding help.hta\"") returned 22 [0030.049] RegSetValueExA (in: hKey=0x84, lpValueName="unlock", Reserved=0x0, dwType=0x1, lpData="\"c:\\Decoding help.hta\"", cbData=0x16 | out: lpData="\"c:\\Decoding help.hta\"") returned 0x0 [0030.050] lstrlenA (lpString="C:\\windows\\searchfiles.exe") returned 26 [0030.050] RegSetValueExA (in: hKey=0x84, lpValueName="searchfiles", Reserved=0x0, dwType=0x1, lpData="C:\\windows\\searchfiles.exe", cbData=0x1a | out: lpData="C:\\windows\\searchfiles.exe") returned 0x0 [0030.050] RegCloseKey (hKey=0x84) returned 0x0 [0030.050] CopyFileA (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe"), lpNewFileName="C:\\windows\\searchfiles.exe" (normalized: "c:\\windows\\searchfiles.exe"), bFailIfExists=0) returned 1 [0030.056] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x8c) returned 0x0 [0030.056] RegQueryValueExA (in: hKey=0x8c, lpValueName="orsa", lpReserved=0x0, lpType=0x0, lpData=0x4045f0, lpcbData=0x18ff5c*=0x114 | out: lpType=0x0, lpData=0x4045f0*=0x0, lpcbData=0x18ff5c*=0x114) returned 0x2 [0030.056] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x594688) returned 1 [0030.057] CryptGenKey (in: hProv=0x594688, Algid=0x1, dwFlags=0x8000001, phKey=0x18ff70 | out: phKey=0x18ff70*=0x5947e8) returned 1 [0032.597] CryptExportKey (in: hKey=0x5947e8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x595038, pdwDataLen=0x18ff60 | out: pbData=0x595038*, pdwDataLen=0x18ff60*=0x494) returned 1 [0032.597] CryptExportKey (in: hKey=0x5947e8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x4045f0, pdwDataLen=0x18ff60 | out: pbData=0x4045f0*, pdwDataLen=0x18ff60*=0x114) returned 1 [0032.598] CryptDestroyKey (hKey=0x5947e8) returned 1 [0032.598] CryptReleaseContext (hProv=0x594688, dwFlags=0x0) returned 1 [0032.598] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x5a2bd0) returned 1 [0032.599] CryptImportKey (in: hProv=0x5a2bd0, pbData=0x403fd0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x403ab2 | out: phKey=0x403ab2*=0x5a5130) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4040f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4040f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4041f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4041f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4042f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4042f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4043f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4043f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4044f0*, pdwDataLen=0x18ff60*=0xc4, dwBufLen=0x500 | out: pbData=0x4044f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.600] CryptDestroyKey (hKey=0x5a5130) returned 1 [0032.600] CryptReleaseContext (hProv=0x5a2bd0, dwFlags=0x0) returned 1 [0032.600] RegSetValueExA (in: hKey=0x8c, lpValueName="orsa", Reserved=0x0, dwType=0x3, lpData=0x4045f0*, cbData=0x114 | out: lpData=0x4045f0*) returned 0x0 [0032.601] RegSetValueExA (in: hKey=0x8c, lpValueName="rsa", Reserved=0x0, dwType=0x3, lpData=0x4040f0*, cbData=0x500 | out: lpData=0x4040f0*) returned 0x0 [0032.601] RegCloseKey (hKey=0x8c) returned 0x0 [0032.602] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x8c) returned 0x0 [0032.602] RegSetValueExA (in: hKey=0x8c, lpValueName="PromptOnSecureDesktop", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.605] RegSetValueExA (in: hKey=0x8c, lpValueName="EnableLUA", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.606] RegSetValueExA (in: hKey=0x8c, lpValueName="ConsentPromptBehaviorAdmin", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.607] RegCloseKey (hKey=0x8c) returned 0x0 [0032.607] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x5a2bd0) returned 1 [0032.608] CryptImportKey (in: hProv=0x5a2bd0, pbData=0x4045f0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x403ab2 | out: phKey=0x403ab2*=0x5a5130) returned 1 [0032.608] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff74 | out: lpSystemTimeAsFileTime=0x18ff74*(dwLowDateTime=0x1f0c2810, dwHighDateTime=0x1d526b8)) [0032.608] FileTimeToSystemTime (in: lpFileTime=0x18ff74, lpSystemTime=0x18ff7c | out: lpSystemTime=0x18ff7c) returned 1 [0032.608] GetDateFormatA (in: Locale=0x0, dwFlags=0x0, lpDate=0x18ff7c, lpFormat="dd,MM,yyyy", lpDateStr=0x403449, cchDate=10 | out: lpDateStr="22,06,2019);