ef1613f88744acec36908126b21bcba9ba775f8af25a1e86988e36985dd6f6fb (SHA256)
order ref ftp.exe
Windows Exe (x86-32)
Created at 2018-10-16 10:55:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: order ref ftp.exe
546
8
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfcc |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD0
0x
FF8
0x
FFC
0x
2F4
0x
85C
0x
918
0x
D78
0x
D70
0x
D68
0x
D3C
0x
D30
0x
D84
0x
CEC
0x
0
0x
148
0x
810
0x
814
0x
2E4
0x
BF8
0x
ECC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| order ref ftp.exe | 0x00d10000 | 0x00d9ffff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000da0000 | 0x00da0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00de3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f60000 | 0x0101dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01070fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010affff | Private Memory | - |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | - |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x01100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0122ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0136ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x0140ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x013e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x013fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001400000 | 0x01400000 | 0x0140ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x01400fff | Pagefile Backed Memory | r |
|
|
|
- |
| l_intl.nls | 0x01410000 | 0x01412fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x01420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0154ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001550000 | 0x01550000 | 0x0155ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000001560000 | 0x01560000 | 0x01560fff | Pagefile Backed Memory | r |
|
|
|
- |
| sorttbls.nlp | 0x01570000 | 0x01574fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001580000 | 0x01580000 | 0x0158ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001590000 | 0x01590000 | 0x01590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000015a0000 | 0x015a0000 | 0x015affff | Private Memory | - |
|
|
|
- |
| private_0x00000000015b0000 | 0x015b0000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000015c0000 | 0x015c0000 | 0x01747fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001750000 | 0x01750000 | 0x018d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000018e0000 | 0x018e0000 | 0x02cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e70000 | 0x02e70000 | 0x02e7ffff | Private Memory | rwx |
|
|
|
- |
| sortdefault.nls | 0x02e80000 | 0x031b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x051bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x0532ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0536ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0639ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000063a0000 | 0x063a0000 | 0x0739ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000073a0000 | 0x073a0000 | 0x075effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000075f0000 | 0x075f0000 | 0x076effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000076f0000 | 0x076f0000 | 0x077effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000077f0000 | 0x077f0000 | 0x078effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000078f0000 | 0x078f0000 | 0x0792ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007930000 | 0x07930000 | 0x07a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007a30000 | 0x07a30000 | 0x07a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007a70000 | 0x07a70000 | 0x07b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007b70000 | 0x07b70000 | 0x07baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007bb0000 | 0x07bb0000 | 0x07caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007cb0000 | 0x07cb0000 | 0x07ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007cf0000 | 0x07cf0000 | 0x07deffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x07df0000 | 0x07e30fff | Memory Mapped File | r |
|
|
|
- |
| fastprox.dll | 0x71b70000 | 0x71c2bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x71c30000 | 0x71c95fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x71ca0000 | 0x7287ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72880000 | 0x73022fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x73130000 | 0x73140fff | Memory Mapped File | rwx |
|
|
|
- |
| wminet_utils.dll | 0x73150000 | 0x73158fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x73160000 | 0x7316cfff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x73170000 | 0x7318dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x73190000 | 0x73293fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x732a0000 | 0x732cefff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x732d0000 | 0x732eafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x732f0000 | 0x73302fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x73310000 | 0x734b4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x734c0000 | 0x73648fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x73650000 | 0x736aafff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x736b0000 | 0x741a9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x741b0000 | 0x7424afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x74250000 | 0x747fffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74800000 | 0x74807fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74810000 | 0x74887fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x74890000 | 0x748e8fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x74984fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77670000 | 0x776f1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f527000 | 0x7f527000 | 0x7f529fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f52a000 | 0x7f52a000 | 0x7f52cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f52d000 | 0x7f52d000 | 0x7f52ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f530000 | 0x7f530000 | 0x7f53ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007f540000 | 0x7f540000 | 0x7f58ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007f591000 | 0x7f591000 | 0x7f593fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f594000 | 0x7f594000 | 0x7f596fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f597000 | 0x7f597000 | 0x7f599fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f59a000 | 0x7f59a000 | 0x7f59cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f59d000 | 0x7f59d000 | 0x7f59ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f6c3000 | 0x7f6c3000 | 0x7f6c5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6c6000 | 0x7f6c6000 | 0x7f6c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6c9000 | 0x7f6c9000 | 0x7f6c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cc000 | 0x7f6cc000 | 0x7f6cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f6cf000 | 0x7f6cf000 | 0x7f6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 48 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | 0.00 KB |
MD5:
f3b25701fe362ec84616a93a45ce9998
SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 SSDeep: 3:Qn:Qn |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | 0.45 KB |
MD5:
93c8c3c8da84285107aa86444a095500
SHA1: f01b6bdefe99aa2fdbfb1e185982ad75af771892 SHA256: 5ace779e0b61dfefc47ee45d84ff79fc3fa77c0e3d853e75126fc38f6f3b50b8 SSDeep: 6:QAX61qU8ezSOGbXYRADAwzRIj2SOG2AmYezRSJcnDWUiBnDWAwb:QrD8hOGTYRADzRI5OG2Ge9SJgyPlyAwb |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 | 0.06 KB |
MD5:
f06baf5a7b83c0b0e0d432f74350f836
SHA1: 7a3d1679d6f83ff26b858213c85e80ece939b5a4 SHA256: 3a3befb2cb000dea163bda67223b26b2ff0c232e2cdc0e42be3f7bdd8b110fb5 SSDeep: 3:Lg67SJRhfdF/QC4Vom:j74xdSC4Vom |
|
|
Host Behavior
COM (11)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
4 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | EB87E1BD-3233-11D2-AEC9-00C04FB68820 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\root\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\root\CIMV2 |
|
1 |
File (343)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
19 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
28 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
13 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | path = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| Create Temp File | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | path = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\, prefix = tmp |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.config | type = file_attributes |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | type = file_type |
|
38 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | type = file_type |
|
56 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | type = file_type |
|
26 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | type = file_type |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CoreFTP\sites.idx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\.minecraft\lastlogin | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config | type = file_attributes |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 0 |
|
19 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 2 |
|
16 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 2 |
|
28 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 0 |
|
28 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 2 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 2 |
|
13 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 4096, size_out = 0 |
|
13 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 4096, size_out = 462 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 | size = 64 |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | - |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Beyluxe Messenger | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 5840, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | value_name = LegacyWPADSupport, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | os_pid = 0xc54, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | os_pid = 0xe1c, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 | |
| Get Context | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 | |
| Set Context | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 | |
| Set Context | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 | |
| Resume | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 | |
| Resume | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | os_tid = 0xfd0 |
|
1 |
Memory (16)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x7ffde008, size = 4 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x7ffde008, size = 4 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x400000, size = 1024 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x401000, size = 278528 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x445000, size = 48128 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x451000, size = 5632 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x454000, size = 27136 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x7ffde008, size = 4 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x400000, size = 1024 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x401000, size = 71168 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x413000, size = 14848 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x417000, size = 3072 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x419000, size = 12288 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | address = 0x7ffde008, size = 4 |
|
1 |
Module (63)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe | base_address = 0xd10000 |
|
1 | |
| Load | C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll | base_address = 0x73150000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x74ad0000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | base_address = 0xd10000 |
|
5 | |
| Get Filename | C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe | process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 255 |
|
3 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ResetSecurity, address_out = 0x73151944 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SetSecurity, address_out = 0x73151986 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServices, address_out = 0x731519cc |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServicesObject, address_out = 0x73151a1e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyHandle, address_out = 0x73151a70 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = WritePropertyValue, address_out = 0x73151a89 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Clone, address_out = 0x73151aa2 |
|
2 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = VerifyClientKey, address_out = 0x73152270 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetQualifierSet, address_out = 0x73151d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Get, address_out = 0x73151b96 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Put, address_out = 0x73151b7a |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Delete, address_out = 0x73151bb5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetNames, address_out = 0x73151bc8 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginEnumeration, address_out = 0x73151be4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Next, address_out = 0x73151bf7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndEnumeration, address_out = 0x73151c16 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyQualifierSet, address_out = 0x73151c26 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetObjectText, address_out = 0x73151c3c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnDerivedClass, address_out = 0x73151c52 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnInstance, address_out = 0x73151c68 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CompareTo, address_out = 0x73151c7e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyOrigin, address_out = 0x73151c94 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = InheritsFrom, address_out = 0x73151caa |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethod, address_out = 0x73151cbd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutMethod, address_out = 0x73151cd9 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = DeleteMethod, address_out = 0x73151cf5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginMethodEnumeration, address_out = 0x73151d08 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = NextMethod, address_out = 0x73151d1b |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndMethodEnumeration, address_out = 0x73151d37 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodQualifierSet, address_out = 0x73151d47 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodOrigin, address_out = 0x73151d5d |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Get, address_out = 0x73151d86 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Put, address_out = 0x73151da2 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Delete, address_out = 0x73151dbb |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_GetNames, address_out = 0x73151dce |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_BeginEnumeration, address_out = 0x73151de4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Next, address_out = 0x73151df7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_EndEnumeration, address_out = 0x73151e13 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetCurrentApartmentType, address_out = 0x73151d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetDemultiplexedStub, address_out = 0x731518fd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateInstanceEnumWmi, address_out = 0x73151580 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateClassEnumWmi, address_out = 0x731515f6 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecQueryWmi, address_out = 0x7315169e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecNotificationQueryWmi, address_out = 0x73151717 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutInstanceWmi, address_out = 0x73151790 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutClassWmi, address_out = 0x73151810 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CloneEnumWbemClassObject, address_out = 0x73151890 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ConnectServerWmi, address_out = 0x731524b7 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x77a0caa0 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, desired_access = FILE_MAP_WRITE |
|
1 |
Window (10)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2007026336 |
|
2 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 48696466 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 48696514 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 48697666 |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
6 | |
| Get Info | type = Operating System |
|
7 |
Mutex (26)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 35649757-3aea-40a9-acdb-9f15f973090c |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | - |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | - |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = ftp.r2v2.co.uk, address_out = 216.37.42.30 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 535 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 216.37.42.30:55376 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x608 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 216.37.42.30 |
| Remote Port | 55376 |
| Local Address | 192.168.0.51 |
| Local Port | 49429 |
| Data Sent | 535 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Bind | local_address = 192.168.0.51, local_port = 49429, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Connect | remote_address = 216.37.42.30, remote_port = 55376 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 535, size_out = 535 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #4: vbc.exe
410
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:10, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xfcc (c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE8
0x
C34
0x
A74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x00305fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x002f0000 | 0x002f0fff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x0000000000300000 | 0x00300000 | 0x0030ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00317fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00314fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00353fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00370fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x00370000 | 0x00372fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00385fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00377fff | Pagefile Backed Memory | rw |
|
|
|
- |
| tzres.dll.mui | 0x00380000 | 0x00388fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00397fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vbc.exe | 0x00400000 | 0x0051efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| ucrtbase.dll | 0x00560000 | 0x0063bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x01fcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x0218ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02190000 | 0x024c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025d0fff | Private Memory | rw |
|
|
|
- |
| nss3.dll | 0x024d0000 | 0x025fafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x026cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x027cefff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x026fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| freebl3.dll | 0x70f70000 | 0x70fc4fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x70fd0000 | 0x70fe8fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x70ff0000 | 0x71015fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x71020000 | 0x71040fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x71050000 | 0x710bcfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x710c0000 | 0x711fefff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x71200000 | 0x71222fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x71230000 | 0x71244fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x71250000 | 0x7132bfff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x71330000 | 0x71351fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x71360000 | 0x71383fff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x71390000 | 0x714befff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x714c0000 | 0x71584fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x71590000 | 0x715c5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x715d0000 | 0x71890fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x718a0000 | 0x71ac3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x71ad0000 | 0x71b61fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x73110000 | 0x73117fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x73110000 | 0x73117fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x732a0000 | 0x732cefff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x732d0000 | 0x732eafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x732f0000 | 0x73302fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74800000 | 0x74807fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x76ec0000 | 0x76ec5fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77020000 | 0x77055fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x400000, size = 1024 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x401000, size = 278528 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x445000, size = 48128 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x451000, size = 5632 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x454000, size = 27136 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x7ffde008, size = 4 |
|
1 | |
| Modify Control Flow | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | os_tid = 0xce8, address = 0x0 |
|
1 |
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
0fc07622856a4f02ec32f3b8cdc7d79a
SHA1: 69227fbe52d3fbfa3af508fee363698fd2a3613c SHA256: 0ac6eba5d515f5a55c7d5bd712cb191aac9bbef780cac77f3a69e357d8c3d746 SSDeep: 3:/lV/l3l:d |
|
|
Host Behavior
File (83)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\logins.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons2.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons3.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Vivaldi\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = size, size_out = 0 |
|
5 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = size, size_out = 0 |
|
5 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera Software\Opera Stable\Login Data | type = file_attributes |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 2048, size_out = 2048 |
|
4 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 2048, size_out = 2048 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 16, size_out = 16 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp | size = 2 |
|
1 |
Registry (18)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 |
Process (111)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | System | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\hadgdp.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\mergerbass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\italianbreakfast.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\merger raw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\protein announcements processes.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\cdt_expenditure_vincent.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\woundchristopher.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\irrigation_teach.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\suspect promoting stroke.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\piepokemon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\fo deutsch.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\complete_paso_altered.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\array_matched_latitude.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\readily knives.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\barry_slovenia_won.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowspowershell\livearticle.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\inn_creation.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\demand_sony_leeds.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\optimize-dressing.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\hadgdp.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\mergerbass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\italianbreakfast.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\merger raw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\protein announcements processes.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\cdt_expenditure_vincent.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\woundchristopher.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\irrigation_teach.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\suspect promoting stroke.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\piepokemon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\fo deutsch.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\complete_paso_altered.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\array_matched_latitude.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\readily knives.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\barry_slovenia_won.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowspowershell\livearticle.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows journal\inn_creation.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\demand_sony_leeds.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\optimize-dressing.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
Module (156)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x71ad0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x752c0000 |
|
1 | |
| Load | psapi.dll | base_address = 0x76ec0000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x74c60000 |
|
2 | |
| Load | pstorec.dll | base_address = 0x73110000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x71590000 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x71390000 |
|
1 | |
| Get Handle | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | base_address = 0x400000 |
|
24 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77990000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Get Handle | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files (x86)\mozilla firefox\nss3.dll | base_address = 0x71390000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\windows\system32\sihost.exe, file_name_orig = C:\Windows\System32\sihost.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\explorer.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, file_name_orig = C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, file_name_orig = C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office 15\hadgdp.exe, file_name_orig = C:\Program Files\Microsoft Office 15\hadgdp.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\common files\mergerbass.exe, file_name_orig = C:\Program Files (x86)\Common Files\mergerbass.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows mail\italianbreakfast.exe, file_name_orig = C:\Program Files\Windows Mail\italianbreakfast.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\merger raw.exe, file_name_orig = C:\Program Files\Microsoft Office\merger raw.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\google\protein announcements processes.exe, file_name_orig = C:\Program Files (x86)\Google\protein announcements processes.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\internet explorer\cdt_expenditure_vincent.exe, file_name_orig = C:\Program Files\Internet Explorer\cdt_expenditure_vincent.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office 15\woundchristopher.exe, file_name_orig = C:\Program Files\Microsoft Office 15\woundchristopher.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows portable devices\irrigation_teach.exe, file_name_orig = C:\Program Files\Windows Portable Devices\irrigation_teach.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows portable devices\suspect promoting stroke.exe, file_name_orig = C:\Program Files\Windows Portable Devices\suspect promoting stroke.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows sidebar\piepokemon.exe, file_name_orig = C:\Program Files\Windows Sidebar\piepokemon.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows media player\fo deutsch.exe, file_name_orig = C:\Program Files (x86)\Windows Media Player\fo deutsch.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\google\complete_paso_altered.exe, file_name_orig = C:\Program Files (x86)\Google\complete_paso_altered.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\common files\array_matched_latitude.exe, file_name_orig = C:\Program Files\Common Files\array_matched_latitude.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe, file_name_orig = C:\Program Files (x86)\Windows Multimedia Platform\segments-nhs-bee.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\reference assemblies\readily knives.exe, file_name_orig = C:\Program Files\Reference Assemblies\readily knives.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows portable devices\barry_slovenia_won.exe, file_name_orig = C:\Program Files (x86)\Windows Portable Devices\barry_slovenia_won.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windowspowershell\livearticle.exe, file_name_orig = C:\Program Files\WindowsPowerShell\livearticle.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows journal\inn_creation.exe, file_name_orig = C:\Program Files\Windows Journal\inn_creation.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files\reference assemblies\demand_sony_leeds.exe, file_name_orig = C:\Program Files\Reference Assemblies\demand_sony_leeds.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows mail\optimize-dressing.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\optimize-dressing.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\System32\svchost.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\System32\backgroundTaskHost.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\sihost.exe, file_name_orig = C:\Windows\System32\sihost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\explorer.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, file_name_orig = C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, file_name_orig = C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office 15\hadgdp.exe, file_name_orig = C:\Program Files\Microsoft Office 15\hadgdp.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\common files\mergerbass.exe, file_name_orig = C:\Program Files (x86)\Common Files\mergerbass.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows mail\italianbreakfast.exe, file_name_orig = C:\Program Files\Windows Mail\italianbreakfast.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office\merger raw.exe, file_name_orig = C:\Program Files\Microsoft Office\merger raw.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\google\protein announcements processes.exe, file_name_orig = C:\Program Files (x86)\Google\protein announcements processes.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\internet explorer\cdt_expenditure_vincent.exe, file_name_orig = C:\Program Files\Internet Explorer\cdt_expenditure_vincent.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office 15\woundchristopher.exe, file_name_orig = C:\Program Files\Microsoft Office 15\woundchristopher.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows portable devices\irrigation_teach.exe, file_name_orig = C:\Program Files\Windows Portable Devices\irrigation_teach.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows portable devices\suspect promoting stroke.exe, file_name_orig = C:\Program Files\Windows Portable Devices\suspect promoting stroke.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows sidebar\piepokemon.exe, file_name_orig = C:\Program Files\Windows Sidebar\piepokemon.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows media player\fo deutsch.exe, file_name_orig = C:\Program Files (x86)\Windows Media Player\fo deutsch.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\google\complete_paso_altered.exe, file_name_orig = C:\Program Files (x86)\Google\complete_paso_altered.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\common files\array_matched_latitude.exe, file_name_orig = C:\Program Files\Common Files\array_matched_latitude.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe, file_name_orig = C:\Program Files (x86)\Windows Multimedia Platform\segments-nhs-bee.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\reference assemblies\readily knives.exe, file_name_orig = C:\Program Files\Reference Assemblies\readily knives.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows portable devices\barry_slovenia_won.exe, file_name_orig = C:\Program Files (x86)\Windows Portable Devices\barry_slovenia_won.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windowspowershell\livearticle.exe, file_name_orig = C:\Program Files\WindowsPowerShell\livearticle.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows journal\inn_creation.exe, file_name_orig = C:\Program Files\Windows Journal\inn_creation.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\reference assemblies\demand_sony_leeds.exe, file_name_orig = C:\Program Files\Reference Assemblies\demand_sony_leeds.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows mail\optimize-dressing.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\optimize-dressing.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\System32\svchost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\System32\backgroundTaskHost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll | function = InitCommonControlsEx, address_out = 0x71ad5000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x7544edb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x779f8f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtLoadDriver, address_out = 0x779f9b30 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnloadDriver, address_out = 0x779fa670 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x779f9d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x779fa020 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryObject, address_out = 0x779f8cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtSuspendProcess, address_out = 0x779fa5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtResumeProcess, address_out = 0x779fa1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleBaseNameW, address_out = 0x76ec1420 |
|
2 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcessModules, address_out = 0x76ec13a0 |
|
2 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExW, address_out = 0x76ec1400 |
|
2 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcesses, address_out = 0x76ec13c0 |
|
2 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleInformation, address_out = 0x76ec16a0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x75153700 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextA, address_out = 0x74c80c00 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x74c80ad0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptCreateHash, address_out = 0x74c7f930 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetHashParam, address_out = 0x74c7f530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptHashData, address_out = 0x74c7f950 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyHash, address_out = 0x74c7fbf0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x74c958f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x74c84010 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x74c956b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x74c95710 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x74c83950 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73111290 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultOpenVault, address_out = 0x71599e10 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultCloseVault, address_out = 0x71599e80 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x71599c80 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultFree, address_out = 0x71599690 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetInformation, address_out = 0x715ab9a0 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetItem, address_out = 0x71599bf0 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x7141ee9a |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x7141f125 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x71442f61 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x714429d3 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x7142bc2d |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x7142bb28 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x7143ef47 |
|
2 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = SYSTEM_HANDLE_INFORMATION |
|
1 | |
| Get Info | type = SYSTEM_HANDLE_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Ini (33)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = LoadPasswordsVivaldi, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = UseQuickFilter, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = QuickFilterString |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = QuickFilterColumnsMode, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = QuickFilterFindMode, default_value = 1 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/8i341t8m.default |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
Process #5: vbc.exe
185
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe1c |
| Parent PID | 0xfcc (c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
190
0x
538
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00240000 | 0x002fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| vbc.exe | 0x00400000 | 0x0051efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0041bfff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x01caffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e30000 | 0x02166fff | Memory Mapped File | r |
|
|
|
- |
| comctl32.dll | 0x71ad0000 | 0x71b61fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| pstorec.dll | 0x73110000 | 0x73117fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76680000 | 0x767f4fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x771c0000 | 0x771cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x400000, size = 1024 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x401000, size = 71168 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x413000, size = 14848 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x417000, size = 3072 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x419000, size = 12288 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | address = 0x7ffde008, size = 4 |
|
1 | |
| Modify Control Flow | #1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe | 0xfd0 | os_tid = 0x190, address = 0x0 |
|
1 |
Host Behavior
File (23)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Thunderbird | type = file_attributes |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 50 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 2 |
|
3 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 32 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 34 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 36 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 25 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 22 |
|
4 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 24 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 26 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp | size = 29 |
|
1 |
Registry (98)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8} | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Group Mail | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MessengerService | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Yahoo\Pager | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8} | value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = POP3 User, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = IMAP User, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = HTTP User, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = SMTP User, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 User, data = lcfkj@kiekc.df, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Server, data = fgr, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Display Name, data = dkdjf kdil, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Email, data = lcfkj@kiekc.df, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Server, data = rgdr, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = IMAP User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = HTTP User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = POP3 User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = IMAP User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = HTTP User, data = 114, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = SMTP User, data = 114, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 |
Module (32)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x71ad0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x752c0000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x73110000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x76680000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x74c60000 |
|
3 | |
| Get Handle | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll | function = InitCommonControlsEx, address_out = 0x71ad5000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x75564f00 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73111290 |
|
1 | |
| Get Address | c:\windows\syswow64\crypt32.dll | function = CryptUnprotectData, address_out = 0x766caf50 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x74c958f0 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x74c84010 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x74c956b0 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x74c95710 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x74c83950 |
|
3 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Ini (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
