7eef6ef8fed53b7c3bf61ba821f375a0a433ea4cb0185fd223780b729a9a5792 (SHA256)
output.113528456.txt.exe
Windows Exe (x86-32)
Created at 2018-08-10 04:08:00
Notifications (1/1)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: output.113528456.txt.exe
304
154
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\eebsym5\desktop\output.113528456.txt.exe |
| Command Line | "C:\Users\EEBsYm5\Desktop\output.113528456.txt.exe" |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:00:26, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:33, Reason: Self Terminated |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0x5ac (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A8
0x
A3C
0x
A40
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A80
0x
A84
0x
AA4
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00270000 | 0x002cbfff | Memory Mapped File | r |
|
|
|
- |
| l_intl.nls | 0x00270000 | 0x00272fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | - |
|
|
|
- |
| sorttbls.nlp | 0x002b0000 | 0x002b4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x002d0000 | 0x002d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortkey.nlp | 0x00620000 | 0x00660fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x00730000 | 0x00730fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00751fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x008c0000 | 0x008c3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x008c0000 | 0x008c3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db | 0x008d0000 | 0x008eefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x00900000 | 0x0092ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00930000 | 0x00933fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00a40000 | 0x00d0efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d10fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00d20000 | 0x00d5bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00f2efff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00f30000 | 0x00f95fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01220fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| output.113528456.txt.exe | 0x01280000 | 0x01287fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001290000 | 0x01290000 | 0x01e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x03e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003e90000 | 0x03e90000 | 0x04282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x0443ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x0458ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x047affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x0493ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| wminet_utils.dll | 0x6a310000 | 0x6a318fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x6b7a0000 | 0x6bf3bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x6bf40000 | 0x6ca37fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x6ca40000 | 0x6cfeafff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x6cff0000 | 0x6da6ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x6de80000 | 0x6df83fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6e180000 | 0x6e21afff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x6e880000 | 0x6e896fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x6ebe0000 | 0x6ebe9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x6ebf0000 | 0x6ec07fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x6ec10000 | 0x6eca5fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x6ef00000 | 0x6ef0efff | Memory Mapped File | rwx |
|
|
|
- |
| system.serviceprocess.ni.dll | 0x6efa0000 | 0x6efd6fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x6f7c0000 | 0x6f81bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x6f900000 | 0x6f95afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6f960000 | 0x6f9d7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x718b0000 | 0x718fbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x71de0000 | 0x71e29fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x72360000 | 0x7239bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x73c00000 | 0x73c20fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74220000 | 0x74314fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74360000 | 0x744fdfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74bf0000 | 0x74c2afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74e50000 | 0x74e65fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75370000 | 0x7537dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75380000 | 0x7538afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75400000 | 0x75411fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75420000 | 0x7553cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75590000 | 0x755b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75730000 | 0x75774fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75820000 | 0x75824fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75830000 | 0x76479fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x764b0000 | 0x7664cfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x76650000 | 0x76744fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x76e70000 | 0x76fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76fb0000 | 0x771aafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ff50000 | 0x7ff50000 | 0x7ff5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007ff60000 | 0x7ff60000 | 0x7ffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 30 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | 213.50 KB |
MD5:
1e8073f6a1421490fc093196e4eb884e
SHA1: 25b6296a419e8471ec899b8e1996fb20c5845c22 SHA256: d9a967d0caa8db86feca3ae469ef6797e81dfdac4d8531658cb242a87c80ce05 SSDeep: 6144:q+8ZepOGuDnw9tOJavXhe9Tedm/8b1tnzwa:qjZepgDj44Iyctnx |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | 4.96 MB |
MD5:
314d3c1ebe50ebc5d9809039ae02ba40
SHA1: 7029f1565d8cb5334d8d19f9b4e0797611037570 SHA256: 268909bc33f0f8c5312b51570016311e3676af651a57de38e42241dcc177b2d6 SSDeep: 98304:5oMp0qQF33UiVuCsLeSInsi7luD4bl5RNRn31wstaUIXke5R2/JJ:aQXG3UeupvIsi7luDspNx1TiXLRSJ |
|
|
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\SecurityCenter2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM AntivirusProduct |
|
1 |
File (151)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\EEBsYm5\Desktop\output.113528456.txt.config | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | type = file_type |
|
2 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 554 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096 |
|
16 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4333 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 65536 |
|
51 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 63064 |
|
3 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 33744 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 5840 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 32120 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 24984 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 17684 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 39420 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 20604 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 54184 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 61484 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 7464 |
|
4 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 57432 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 23524 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 65192 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 64020 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 61604 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 38452 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 61784 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 25148 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 17804 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 61724 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 26444 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 32448 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 29364 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 36828 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 6004 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 61932 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 49804 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 62944 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 14600 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 41044 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 23360 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 35204 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 8924 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 17848 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 22064 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 16060 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 52724 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 64360 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 33864 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 2527 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 4096 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 4391 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 65536 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 39584 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 7464 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | size = 32017 |
|
1 |
Registry (21)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe" | os_pid = 0xba4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" | os_pid = 0xbf4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (52)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll | base_address = 0x6a310000 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ResetSecurity, address_out = 0x6a311944 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SetSecurity, address_out = 0x6a311986 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServices, address_out = 0x6a3119cc |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServicesObject, address_out = 0x6a311a1e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyHandle, address_out = 0x6a311a70 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = WritePropertyValue, address_out = 0x6a311a89 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Clone, address_out = 0x6a311aa2 |
|
2 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = VerifyClientKey, address_out = 0x6a312270 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetQualifierSet, address_out = 0x6a311d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Get, address_out = 0x6a311b96 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Put, address_out = 0x6a311b7a |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Delete, address_out = 0x6a311bb5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetNames, address_out = 0x6a311bc8 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginEnumeration, address_out = 0x6a311be4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Next, address_out = 0x6a311bf7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndEnumeration, address_out = 0x6a311c16 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyQualifierSet, address_out = 0x6a311c26 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetObjectText, address_out = 0x6a311c3c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnDerivedClass, address_out = 0x6a311c52 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnInstance, address_out = 0x6a311c68 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CompareTo, address_out = 0x6a311c7e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyOrigin, address_out = 0x6a311c94 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = InheritsFrom, address_out = 0x6a311caa |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethod, address_out = 0x6a311cbd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutMethod, address_out = 0x6a311cd9 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = DeleteMethod, address_out = 0x6a311cf5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginMethodEnumeration, address_out = 0x6a311d08 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = NextMethod, address_out = 0x6a311d1b |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndMethodEnumeration, address_out = 0x6a311d37 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodQualifierSet, address_out = 0x6a311d47 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodOrigin, address_out = 0x6a311d5d |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Get, address_out = 0x6a311d86 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Put, address_out = 0x6a311da2 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Delete, address_out = 0x6a311dbb |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_GetNames, address_out = 0x6a311dce |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Next, address_out = 0x6a311df7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetCurrentApartmentType, address_out = 0x6a311d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetDemultiplexedStub, address_out = 0x6a3118fd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateInstanceEnumWmi, address_out = 0x6a311580 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateClassEnumWmi, address_out = 0x6a3115f6 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecQueryWmi, address_out = 0x6a31169e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecNotificationQueryWmi, address_out = 0x6a311717 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutInstanceWmi, address_out = 0x6a311790 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutClassWmi, address_out = 0x6a311810 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CloneEnumWbemClassObject, address_out = 0x6a311890 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ConnectServerWmi, address_out = 0x6a3124b7 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\eebsym5\desktop\output.113528456.txt.exe, desired_access = FILE_MAP_WRITE |
|
1 |
Service (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = MpsSvc |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
1 | |
| Get Info | type = Operating System |
|
6 |
Mutex (33)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.myswcd.com, address_out = 54.191.17.130 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 50 bytes |
| Total Data Received | 213.77 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 54.191.17.130:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x49c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 54.191.17.130 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49159 |
| Data Sent | 50 bytes |
| Data Received | 213.77 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 54.191.17.130, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 50, size_out = 50 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4664 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 39584 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 39481, size_out = 7464 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32017, size_out = 32017 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 124 bytes |
| Total Data Received | 5.17 MB |
| Contacted Host Count | 1 |
| Contacted Hosts | www.myswcd.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | www.myswcd.com |
| Server Port | 80 |
| Data Sent | 74 |
| Data Received | 5197207 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.myswcd.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /vol/v1.exe |
|
1 | |
| Send HTTP Request | headers = host: www.myswcd.com, connection: Keep-Alive, url = www.myswcd.com/vol/v1.exe |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 4664 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 1624 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 33744 |
|
1 | |
| Read Response | size = 65536, size_out = 5840 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 33744 |
|
1 | |
| Read Response | size = 65536, size_out = 32120 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 24984 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 17684 |
|
1 | |
| Read Response | size = 65536, size_out = 39420 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 20604 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 54184 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 24984 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 61484 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7464 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
3 | |
| Read Response | size = 65536, size_out = 57432 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 23524 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
3 | |
| Read Response | size = 65536, size_out = 2580 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 164 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
3 | |
| Read Response | size = 65536, size_out = 38452 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
11 | |
| Read Response | size = 65536, size_out = 344 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
2 | |
| Read Response | size = 65536, size_out = 25148 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 18148 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7464 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
2 | |
| Read Response | size = 65536, size_out = 25148 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 628 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 26444 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
2 | |
| Read Response | size = 65536, size_out = 32448 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 29364 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
2 | |
| Read Response | size = 65536, size_out = 36828 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 6004 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
3 | |
| Read Response | size = 65536, size_out = 492 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7464 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 1624 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 49804 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7464 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 1624 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 62944 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 41044 |
|
1 | |
| Read Response | size = 65536, size_out = 23360 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 35204 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8924 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 6004 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
2 | |
| Read Response | size = 65536, size_out = 17848 |
|
1 | |
| Read Response | size = 65536, size_out = 1460 |
|
3 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 22064 |
|
1 | |
| Read Response | size = 65536, size_out = 16060 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 52724 |
|
1 | |
| Read Response | size = 65536, size_out = 2920 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 49411, size_out = 8924 |
|
1 | |
| Read Response | size = 40487, size_out = 3752 |
|
1 | |
| Read Response | size = 36735, size_out = 34208 |
|
1 | |
| Read Response | size = 2527, size_out = 2527 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | www.myswcd.com |
| Server Port | 80 |
| Data Sent | 50 |
| Data Received | 218897 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.myswcd.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /vol/v2.exe |
|
1 | |
| Send HTTP Request | headers = host: www.myswcd.com, url = www.myswcd.com/vol/v2.exe |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 4664 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 39584 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 39481, size_out = 7464 |
|
1 | |
| Read Response | size = 32017, size_out = 32017 |
|
1 | |
| Close Session | - |
|
2 |
Process #2: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c netsh Advfirewall set allprofiles state off |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x002e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x0121ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x01382fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01390000 | 0x0165efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a960000 | 0x4a9abfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x71f40000 | 0x71f46fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\EEBsYm5\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\netsh.exe | os_pid = 0xa70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a960000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76910000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x769624c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7694ac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76953ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76962732 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:08:46 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106891 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\EEBsYm5\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: netsh.exe
77
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\netsh.exe |
| Command Line | netsh Advfirewall set allprofiles state off |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xa54 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A74
0x
A88
0x
A94
0x
A98
0x
A9C
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| netsh.exe.mui | 0x001e0000 | 0x001e4fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | r |
|
|
|
- |
| odbcint.dll.mui | 0x00230000 | 0x0023afff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| mfc42u.dll.mui | 0x00250000 | 0x00257fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x011cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01161fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x011cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x012bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001490000 | 0x01490000 | 0x0159ffff | Private Memory | rw |
|
|
|
- |
| netsh.exe | 0x01620000 | 0x0163afff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0186ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0176ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x0171ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001760000 | 0x01760000 | 0x0176ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001830000 | 0x01830000 | 0x0186ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01870000 | 0x01b3efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001b40000 | 0x01b40000 | 0x01f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x020bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0209ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x020bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| p2pnetsh.dll | 0x6b440000 | 0x6b464fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x6b470000 | 0x6b507fff | Memory Mapped File | rwx |
|
|
|
- |
| ndfapi.dll | 0x6b510000 | 0x6b543fff | Memory Mapped File | rwx |
|
|
|
- |
| nettrace.dll | 0x6b550000 | 0x6b5d9fff | Memory Mapped File | rwx |
|
|
|
- |
| polstore.dll | 0x6b5e0000 | 0x6b625fff | Memory Mapped File | rwx |
|
|
|
- |
| adsldpc.dll | 0x6b630000 | 0x6b663fff | Memory Mapped File | rwx |
|
|
|
- |
| activeds.dll | 0x6b670000 | 0x6b6a4fff | Memory Mapped File | rwx |
|
|
|
- |
| nshipsec.dll | 0x6b6b0000 | 0x6b708fff | Memory Mapped File | rwx |
|
|
|
- |
| certcli.dll | 0x6b710000 | 0x6b765fff | Memory Mapped File | rwx |
|
|
|
- |
| napmontr.dll | 0x6b770000 | 0x6b798fff | Memory Mapped File | rwx |
|
|
|
- |
| wcnnetsh.dll | 0x6da80000 | 0x6da89fff | Memory Mapped File | rwx |
|
|
|
- |
| eappprxy.dll | 0x6da90000 | 0x6daa0fff | Memory Mapped File | rwx |
|
|
|
- |
| onex.dll | 0x6dab0000 | 0x6dae3fff | Memory Mapped File | rwx |
|
|
|
- |
| eappcfg.dll | 0x6daf0000 | 0x6db1efff | Memory Mapped File | rwx |
|
|
|
- |
| dot3api.dll | 0x6db20000 | 0x6db39fff | Memory Mapped File | rwx |
|
|
|
- |
| dot3cfg.dll | 0x6db40000 | 0x6db56fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcnsh.dll | 0x6db60000 | 0x6db6afff | Memory Mapped File | rwx |
|
|
|
- |
| hnetmon.dll | 0x6db70000 | 0x6db76fff | Memory Mapped File | rwx |
|
|
|
- |
| netiohlp.dll | 0x6db80000 | 0x6dbabfff | Memory Mapped File | rwx |
|
|
|
- |
| authfwcfg.dll | 0x6dbb0000 | 0x6dc03fff | Memory Mapped File | rwx |
|
|
|
- |
| mfc42u.dll | 0x6dc10000 | 0x6dd2efff | Memory Mapped File | rwx |
|
|
|
- |
| whhelper.dll | 0x6dd30000 | 0x6dd36fff | Memory Mapped File | rwx |
|
|
|
- |
| fwcfg.dll | 0x6dd40000 | 0x6dd50fff | Memory Mapped File | rwx |
|
|
|
- |
| nshwfp.dll | 0x6dd60000 | 0x6de03fff | Memory Mapped File | rwx |
|
|
|
- |
| odbcint.dll | 0x6de10000 | 0x6de47fff | Memory Mapped File | rwx |
|
|
|
- |
| credui.dll | 0x6de50000 | 0x6de7afff | Memory Mapped File | rwx |
|
|
|
- |
| winipsec.dll | 0x6e160000 | 0x6e173fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpqec.dll | 0x6e440000 | 0x6e456fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x6e460000 | 0x6e4ebfff | Memory Mapped File | rwx |
|
|
|
- |
| httpapi.dll | 0x6e820000 | 0x6e82afff | Memory Mapped File | rwx |
|
|
|
- |
| ifmon.dll | 0x6ee80000 | 0x6ee88fff | Memory Mapped File | rwx |
|
|
|
- |
| nshhttp.dll | 0x6ee90000 | 0x6ee99fff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x6eed0000 | 0x6eee5fff | Memory Mapped File | rwx |
|
|
|
- |
| rasmontr.dll | 0x6f8d0000 | 0x6f8fdfff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fcf0000 | 0x6fd3efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd40000 | 0x6fd97fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x6fff0000 | 0x70004fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x71d30000 | 0x71d41fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2help.dll | 0x71f20000 | 0x71f22fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcmonitor.dll | 0x71f30000 | 0x71f35fff | Memory Mapped File | rwx |
|
|
|
- |
| wshelper.dll | 0x71f50000 | 0x71f56fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanutil.dll | 0x72560000 | 0x72565fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x72570000 | 0x72585fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x725f0000 | 0x72604fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x72610000 | 0x72661fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x72670000 | 0x72698fff | Memory Mapped File | rwx |
|
|
|
- |
| qutil.dll | 0x727c0000 | 0x727d6fff | Memory Mapped File | rwx |
|
|
|
- |
| netshell.dll | 0x729e0000 | 0x72c44fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x73670000 | 0x73681fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x73690000 | 0x7369cfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x736b0000 | 0x736e7fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x737c0000 | 0x737c6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x737d0000 | 0x737ebfff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73870000 | 0x73879fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x738a0000 | 0x738b3fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x738f0000 | 0x738fffff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x73c40000 | 0x73c4efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x73c50000 | 0x73c58fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x73c60000 | 0x73c70fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74360000 | 0x744fdfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x748e0000 | 0x74955fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74a30000 | 0x74a46fff | Memory Mapped File | rwx |
|
|
|
- |
| devrtl.dll | 0x74bd0000 | 0x74bddfff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x74ca0000 | 0x74cc1fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74cd0000 | 0x74d13fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74e10000 | 0x74e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74f80000 | 0x74f96fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x75010000 | 0x75051fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75290000 | 0x75297fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75380000 | 0x7538afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75400000 | 0x75411fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75420000 | 0x7553cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75590000 | 0x755b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75730000 | 0x75774fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75830000 | 0x76479fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x764b0000 | 0x7664cfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 38 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 |
Registry (23)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh | - |
|
1 |
Module (46)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | RASMONTR.DLL | base_address = 0x6f8d0000 |
|
1 | |
| Load | NSHWFP.DLL | base_address = 0x6dd60000 |
|
1 | |
| Load | DHCPCMONITOR.DLL | base_address = 0x71f30000 |
|
1 | |
| Load | WSHELPER.DLL | base_address = 0x71f50000 |
|
1 | |
| Load | NSHHTTP.DLL | base_address = 0x6ee90000 |
|
1 | |
| Load | FWCFG.DLL | base_address = 0x6dd40000 |
|
1 | |
| Load | AUTHFWCFG.DLL | base_address = 0x6dbb0000 |
|
1 | |
| Load | IFMON.DLL | base_address = 0x6ee80000 |
|
1 | |
| Load | NETIOHLP.DLL | base_address = 0x6db80000 |
|
1 | |
| Load | WHHELPER.DLL | base_address = 0x6dd30000 |
|
1 | |
| Load | HNETMON.DLL | base_address = 0x6db70000 |
|
1 | |
| Load | RPCNSH.DLL | base_address = 0x6db60000 |
|
1 | |
| Load | DOT3CFG.DLL | base_address = 0x6db40000 |
|
1 | |
| Load | NAPMONTR.DLL | base_address = 0x6b770000 |
|
1 | |
| Load | NSHIPSEC.DLL | base_address = 0x6b6b0000 |
|
1 | |
| Load | NETTRACE.DLL | base_address = 0x6b550000 |
|
1 | |
| Load | WCNNETSH.DLL | base_address = 0x6da80000 |
|
1 | |
| Load | P2PNETSH.DLL | base_address = 0x6b440000 |
|
1 | |
| Load | WLANCFG.DLL | base_address = 0x6b360000 |
|
1 | |
| Load | WWANCFG.DLL | base_address = 0x6da70000 |
|
1 | |
| Load | PEERDISTSH.DLL | base_address = 0x6b290000 |
|
1 | |
| Load | kernel32.dll | base_address = 0x76910000 |
|
1 | |
| Get Handle | c:\windows\system32\netsh.exe | base_address = 0x1620000 |
|
2 | |
| Get Address | c:\windows\system32\rasmontr.dll | function = InitHelperDll, address_out = 0x6f8e6cb9 |
|
1 | |
| Get Address | c:\windows\system32\nshwfp.dll | function = InitHelperDll, address_out = 0x6ddbbbb2 |
|
1 | |
| Get Address | c:\windows\system32\dhcpcmonitor.dll | function = InitHelperDll, address_out = 0x71f31cd4 |
|
1 | |
| Get Address | c:\windows\system32\wshelper.dll | function = InitHelperDll, address_out = 0x71f5157b |
|
1 | |
| Get Address | c:\windows\system32\nshhttp.dll | function = InitHelperDll, address_out = 0x6ee91b47 |
|
1 | |
| Get Address | c:\windows\system32\fwcfg.dll | function = InitHelperDll, address_out = 0x6dd42a30 |
|
1 | |
| Get Address | c:\windows\system32\authfwcfg.dll | function = InitHelperDll, address_out = 0x6dbb4420 |
|
1 | |
| Get Address | c:\windows\system32\ifmon.dll | function = InitHelperDll, address_out = 0x6ee817a3 |
|
1 | |
| Get Address | c:\windows\system32\netiohlp.dll | function = InitHelperDll, address_out = 0x6db96e4b |
|
1 | |
| Get Address | c:\windows\system32\whhelper.dll | function = InitHelperDll, address_out = 0x6dd31c99 |
|
1 | |
| Get Address | c:\windows\system32\hnetmon.dll | function = InitHelperDll, address_out = 0x6db7200c |
|
1 | |
| Get Address | c:\windows\system32\rpcnsh.dll | function = InitHelperDll, address_out = 0x6db62f94 |
|
1 | |
| Get Address | c:\windows\system32\dot3cfg.dll | function = InitHelperDll, address_out = 0x6db4a31d |
|
1 | |
| Get Address | c:\windows\system32\napmontr.dll | function = InitHelperDll, address_out = 0x6b77c7d5 |
|
1 | |
| Get Address | c:\windows\system32\nshipsec.dll | function = InitHelperDll, address_out = 0x6b6b6910 |
|
1 | |
| Get Address | c:\windows\system32\nettrace.dll | function = InitHelperDll, address_out = 0x6b59268b |
|
1 | |
| Get Address | c:\windows\system32\wcnnetsh.dll | function = InitHelperDll, address_out = 0x6da8228c |
|
1 | |
| Get Address | c:\windows\system32\p2pnetsh.dll | function = InitHelperDll, address_out = 0x6b4438e5 |
|
1 | |
| Get Address | Unknown module name | function = InitHelperDll, address_out = 0x6b36c7d8 |
|
1 | |
| Get Address | Unknown module name | function = InitHelperDll, address_out = 0x6da720ed |
|
1 | |
| Get Address | Unknown module name | function = InitHelperDll, address_out = 0x6b30c796 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x769624c2 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:08:47 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 107453 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Process #5: vkvmtnchwv3w.exe
301
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe |
| Command Line | "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe" |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00437fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003e4fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003cbfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00465fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003c7fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003e8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00667fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00792fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00902fff | Pagefile Backed Memory | r |
|
|
|
- |
| vkvmtnchwv3w.exe | 0x01250000 | 0x0129dfff | Memory Mapped File | rwx |
|
|
|
|
| api-ms-win-core-synch-l1-2-0.dll | 0x71f10000 | 0x71f12fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | 53.50 KB |
MD5:
ef46c349a76a9c466014a6a67cbaac99
SHA1: 2f9ef385498261d129d2ced0096b56df30ac6afc SHA256: 815430609a61ae49de9150e82e688c4175e296b2274aefa0373fe39bb4948042 SSDeep: 384:/xwYe6V2dqG5islrOmlpiFK4r4A5Zaqb/K2KUpH3d:5ve6V2MG5iKOmlyKwNR |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | 9.50 KB |
MD5:
0a3ec8fff372a800326eb8365de81f38
SHA1: 9707b3babda5d081f6c7188a00039721746c548c SHA256: 17fbe1dd26ac0b49b7764d5f667fd12b9929b7fa9fa60395847cf80f653a0fdb SSDeep: 192:bSI4ySF5IHS37idhL0zd3XXF2dqgeFI4BUKXKXecWnHcyZfgC:b4F5cQ7O+zhHF2KZZ |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | 2.51 MB |
MD5:
22ea7603bf1f1aaa2ae6d89ddc9cb663
SHA1: 30552231ad37b14a0bb3f8b95b4d700da8d4ef6c SHA256: ac02f0ab3707eaf2d6980eeaf73cfd064e77121ce8a78d057be84c3b436746c5 SSDeep: 49152:Z3sX1oyMz3EzLZbDzRMLVCczh005HGVbgICqPdn4MMSH5agI+FTjq5+el30FXG:Z61oxVCczhpdN3g4MfHUl+aZSFX |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | 637.83 KB |
MD5:
b3892e6da8e2c8ce4b0a9d3eb9a185e5
SHA1: e81c5908187d359eedb6304184e761efb38d6634 SHA256: ae163388201ef2f119e11265586e7da32c6e5b348e0cc32e3f72e21ebfd0843b SSDeep: 12288:Zhr4UCe8uLQrIYE8EdPz1n0/WGipK5d7AO7QlxxdmRyy1:981FYPz8WGip0d7AhpdmRyy1 |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | 28.50 KB |
MD5:
dd3db5480eb52e8f69d47f3b725e6bfb
SHA1: cb14cda7f5e3e2b88c823e4d15643680398b361e SHA256: 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe SSDeep: 384:9KckxaWHQuFS1bIYcBjZjKPzA37usOo8Vd6IHiPKDkAKB5F0riz4BPK27raf0:9DkxaywpjcJhaAahoICS4AI3GDm |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | 20.82 KB |
MD5:
bc185de8b2437963368a85fdd9852951
SHA1: 1459f1428214fcca7f203fb3a3aff28e16eb9c1b SHA256: 8b130d901e0f83b55699d565f103f2f8f1b3a51712ebb4b9646ea517cc1f04d6 SSDeep: 384:pGpFpaU1kgCw8r+MIP8Bj5DvVySh3awQBoerw8W+PYV0FGYfN/+:pGpFpb+IU99UShATrw8W+AKF/+ |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | 24.50 KB |
MD5:
6de0ace298bfe90b36a173e7547f7c6a
SHA1: 871bbf9cd0c056b2aef11a0af83d07ee33ca46ca SHA256: e5b51438204d762734625f3e03c571b3b90c2ecdc358af167bdbc6bea8a0d3e3 SSDeep: 768:9RZ5g+l3KQZrpJI+LXOJqIsmANOtrD5OEhrV262R:9RZ5g+l3KQZrpfLXOJqIsmANOtvhrV2Z |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | 50.50 KB |
MD5:
2ac64a3ea631e7e43d01cbb149919da4
SHA1: 53ea53a48ee79c836c4b1ef8f3d58f69913cfdfe SHA256: 1e7d4623b0d1953a02c604b782cf3f7d0bd84884e032c863f0d5f488af425dec SSDeep: 1536:0/CFaMdXLQXytg5wInItlHCMRZYL2oITtepJW9X0b:RPDtlHCtPITt4E9Eb |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | 0.98 KB |
MD5:
7af6b943120fadcb5fd3115be3424dde
SHA1: 0b28564af655c64afcd0ba76369737b7c58daeae SHA256: 003d7dacfc30ae2eee403ec2e18710c79de92d7bb338df3be8cfe7f8ed15945c SSDeep: 12:TMHdtnQEH5ZCgV4SNXvNxW5v+MHCgVuNnhSN4XGpOvcNg4gv18zyiUGXwcGkVtvM:2dtn3ZEglN2v+zg4NnEN4X1me5rcb3S |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | 91.00 KB |
MD5:
0927967ca911391c4e4ef10b950499a5
SHA1: 38c23cb6d6461ae1ed04b26835058d9367be63c2 SHA256: d44f765d24d572188c3d5ee803cf824b2db1e9bd4e6d1d95062cd6a764202cdd SSDeep: 1536:SEXH04hVhg2JGa1ISZaf66lvIcEd+H4qk9R/Ec3LcGzVmH7WU3f:DU4Bg2JdqSZlPcAaE/P3LFzVmH7WU3f |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | 672.50 KB |
MD5:
e38072d0db1371b05fc861ccd1bb0a37
SHA1: 594fc3f069a791f96e910a3dac122a7a32331eea SHA256: c83effcd8372389c2d3cff38fab5e41d0f7c96d9bb47a6e58de6ed63998ea3cb SSDeep: 12288:+f3T3AxoMPBt8FpQsVdFiI5mZMPXubUxktwdQ:o3LxM8XQsVdXSPAxLdQ |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | 135.00 KB |
MD5:
5ee764051c2639c06764e3f7f97d249b
SHA1: a10a0b019da62cbb2b587df38770960f3b5905ce SHA256: 18675152111924780b6c746a78f11936d8ba31f18418b8e255e579d932f2acf6 SSDeep: 1536:oJS1sIuMkXYi1xxB/c9gtOmPNg8i5RpExhvMnFRJsVsErYcisoJGCePyZSxBrzWb:AymkoToJnvK+sVU82J/vKvJUoW4 |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | 47.00 KB |
MD5:
aee0f99363c2445f47b6d64c30911d7e
SHA1: 2788e085d2a41497847e6867d3c0b553db4b4c29 SHA256: 59ef12178676e336d819f4e4b4d9c689fc51c95cd06ab9c5c1d06774f2657451 SSDeep: 768:8RsCOeSoO+rVa+KiejEG9SaFPBGsNoC+M6L1+UQX:iRO+rVXKicSaFP0C7gLBQ |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | 1.03 KB |
MD5:
fedfdf2256720badeff9205e784b5dc8
SHA1: 014f80bbb14d6f9ed5fcf0757bf2bef1a22b3b88 SHA256: 6373fb8261af01506dc57dee535a0be800f3a59b18b0cc1e276807c746329ff6 SSDeep: 24:2dtn3mGv+zg4NnEN4XojC6vuVWV5rcb3S:ch35+zg4i0oKWmS |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | 71.00 KB |
MD5:
6986a7cb6a80ef68644b1e9e5ec70545
SHA1: 15c426213be4d10c0b38443640ba8ac8068be7c8 SHA256: 27b035e9a0b63b1f4891dbae222dabd7a5756bfe1a504d9e9357d2b59b2fe5d9 SSDeep: 1536:ITfB9P4y4yhXYjrKV4S1uB8xgKvaGn6E8S+f0PP8fQKTiL:IrRYn04Su8xgKvaGn6XZfmAJTi |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | 540.00 KB |
MD5:
c16381aa1c036104d6e4097463b69798
SHA1: df29e08edb9729e2829ec39b9003ee80202b35ed SHA256: ffefe1cc04f2f0e47e43c8c823447637fab227482ea8b69c8d2b4e6198f00da4 SSDeep: 12288:4qSD9MQCNucGNXzIRbhapUqwdMMI9Z6z+lz3KRd4erm5jF:paWQCNu5zSaOq1jZ6y8deZF |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | 11.50 KB |
MD5:
d59d197f69aa42f0a5d4e8e0a75fb2b4
SHA1: e1cf2873e5285f3df574f1441865199f8d6c647d SHA256: efca6435f01bc7399ef7907b6aeba9394b2966d46325f2a81f34eaa3c733dc4e SSDeep: 192:qY35RZ+QmbQNw7MPDNqcSUpdkDXUnv3XDVR6ykXc1U5Us:qY35nLiAPDNSsdGXoPzV5uuds |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | 556.33 KB |
MD5:
db001faea818ae2e14a74e0adc530fc0
SHA1: 7db49c1a611b38a4f494b1db23087c751faa3de1 SHA256: 45cb405589c92bf74c47b7c90e299a5732a99403c51f301a5b60579caf3116e7 SSDeep: 12288:fCFE340h3e34GVZQACkIrYhUgiW6QR7t5183Ooc8SHkC2eHgAfl:fCh0h3e3vgzrA83Ooc8SHkC2eHgAfl |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | 220.00 KB |
MD5:
7200dca324f3d1ecd11b2b1250b2d6c7
SHA1: df3219cfbc6f6ee6ef025b320563a195be46d803 SHA256: 636e12fea8c47ea528dba48827ac51a2e98b2ef0864854c9375b8170555c0a6e SSDeep: 3072:Yk3eocziNzMLSMOYscmnWCAXm00LRk86Goao1IJU87/amFYw8fF01OyA9LX:v6OMqcEJAXb0LRn6fa3/amiX2Oy0 |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | 107.50 KB |
MD5:
a28653caf591fc7b4c7971821deb9a56
SHA1: 5ff590e23cbb45ae4a441eeecf2d0609103eec08 SHA256: 88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3 SSDeep: 3072:VZsz18WtYUmuPcgxxKEYLRMMMHBBY2Y7bi0tf70fsNOK8dZ5TaY:VCzptYUmuEgxxKEYLRMbjY7bi0170EN4 |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | 1.34 MB |
MD5:
b1ce5ba4b67e186b393fb85fd18c59af
SHA1: c27eb759181e4dfd80eb5f0f5848787cb7ce4bfd SHA256: 2a3911be8b1a2689de409188c1c72c3abe5ff0f51128f5d7a22b30e3a957ab97 SSDeep: 24576:3Toeiij2g9AqfUrSd7kq7iMfSDqq8I09tTTeCEi04ozFhmmvI+KpPQpzaGNXpJ+S:3sijeTrSd2ZV09tJP03YkaGJpJc2Lob0 |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | 23.50 KB |
MD5:
6d0b7d549cc16f4018fd67bec9bb771e
SHA1: 3b3d425886ea8678d4d7557fcc50c36951be27bf SHA256: 654308420dd8362408b60e6d602c39101f1db75960112bc23f6298a810a1bf83 SSDeep: 384:TqFOIiDSVujmVnO7aNfnVs8jMDcqR56DUgnnVlyDIjM6D9cJ:OA/DSYiVnO7SBqRoBVRXD9c |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | 10.00 KB |
MD5:
fd7ba0d28b7809d0dc15aef9d7eaf62b
SHA1: c56d51ea4e61431918c3f0220e6f4c56d3eb9b52 SHA256: 36314665fa2a6effbe7a4280b2d420a438d02c40bd7b6a690a588490a2e8e4d0 SSDeep: 192:TidzghojQKuGhNUyA5jQjT8KW6WZXN7cLmoVktRcX3X62dqSea:udzgwLkjjoT8KQXgVktQK2H |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | 10.00 KB |
MD5:
7fec8c7c9fde5ac8f2eec8e5abdd1c56
SHA1: 82dd6659d95140b2a28e303044643cc4683155da SHA256: 69c2d16001339775dba69bc884ed95602bc126b65bb9dcf96a779790dd41f52c SSDeep: 192:LPDn3nSJIcNaVT6Gbp8wyhzh3X62dqH3:Lbn3nkNAT6Gl8lzdK2c |
|
|
| C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | 991.00 KB |
MD5:
2c3221968e7f644a1fae03106791d85b
SHA1: 8a51cf7dd9a1d51ceba1c1465d1aa3424c6fb744 SHA256: 878388c1ae7319f7d1a89d2c186c460f41f259055b63cda29f5008f4025f4c5e SSDeep: 24576:+5UA5DF4x6jKzYpenuNnVgA4bO0+PwNAQpIUFLZsCZFpU8XrCSSa:cFc6WYpmuNVeODPOpIGFpU5SSa |
|
|
Host Behavior
File (263)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
26 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include | - |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
26 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096, size_out = 4096 |
|
31 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 512, size_out = 96 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 1024, size_out = 1024 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 512, size_out = 408 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 16384, size_out = 16384 |
|
2 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 40960, size_out = 40960 |
|
2 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 475136, size_out = 475136 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 20480, size_out = 20480 |
|
2 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 671744, size_out = 671744 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 36864, size_out = 36864 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 155648, size_out = 155648 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 315392, size_out = 315392 |
|
2 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 57344, size_out = 57344 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 1200128, size_out = 1200128 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 258048, size_out = 258048 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 8192, size_out = 8192 |
|
2 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | size = 28672 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | size = 512 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | size = 53248 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | size = 1536 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | size = 8192 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | size = 2048 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | size = 8192 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | size = 1536 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | size = 8192 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | size = 2048 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | size = 1050 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | size = 90112 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | size = 3072 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | size = 1011712 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | size = 3072 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | size = 45056 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | size = 3072 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | size = 49152 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | size = 2560 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | size = 1404928 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | size = 1024 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | size = 69632 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | size = 3072 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | size = 1008 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | size = 225280 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | size = 569344 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | size = 336 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | size = 651264 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | size = 1872 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | size = 135168 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | size = 3072 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | size = 2629632 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | size = 2048 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | size = 106496 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | size = 3584 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | size = 8192 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | size = 3584 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | size = 552960 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | size = 688128 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | size = 512 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | size = 20480 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | size = 3584 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | size = 24576 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | size = 512 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | size = 20480 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | size = 841 |
|
1 | |
| Delete Directory | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include | - |
|
1 | |
| Delete Directory | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | os_pid = 0xbb8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_SHOWNORMAL |
|
1 |
Module (31)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x71f10000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76910000 |
|
2 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-appmodel-runtime-l1-1-1 | base_address = 0x0 |
|
2 | |
| Load | ext-ms-win-kernel32-package-current-l1-1-0 | base_address = 0x0 |
|
2 | |
| Get Handle | c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe | base_address = 0x1250000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 260 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 |
|
1 | |
| Get Address | c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7696418d |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x769676e6 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76961e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7699f72b |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:09:13 (UTC) |
|
1 |
Environment (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = _MEIPASS2 |
|
1 | |
| Get Environment String | name = _MEIPASS2, result_out = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 |
|
1 | |
| Set Environment String | name = _MEIPASS2 |
|
1 | |
| Set Environment String | name = _MEIPASS2, value = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 |
|
1 |
Process #6: vkvmtnchwv3w.exe
873
203
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe |
| Command Line | "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe" |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbb8 |
| Parent PID | 0xba4 (c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BBC
0x
BC0
0x
BC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x000d0000 | 0x000ecfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x000f0000 | 0x000f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00106fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00211fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00437fff | Pagefile Backed Memory | r |
|
|
|
- |
| rsaenh.dll | 0x00440000 | 0x0047bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | r |
|
|
|
- |
| cookies.sqlite-shm | 0x00450000 | 0x00457fff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x011bffff | Pagefile Backed Memory | r |
|
|
|
- |
| vkvmtnchwv3w.exe | 0x01250000 | 0x0129dfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000012a0000 | 0x012a0000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x012a0000 | 0x0135ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001490000 | 0x01490000 | 0x01882fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001890000 | 0x01890000 | 0x01a8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01a90000 | 0x01d5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x0215ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0241ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02743fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| crypto.cipher._des3.pyd | 0x10000000 | 0x1000ffff | Memory Mapped File | rwx |
|
|
|
- |
| _hashlib.pyd | 0x6a8b0000 | 0x6a9adfff | Memory Mapped File | rwx |
|
|
|
- |
| python27.dll | 0x6a9b0000 | 0x6ac47fff | Memory Mapped File | rwx |
|
|
|
|
| sqlite3.dll | 0x6b2c0000 | 0x6b34afff | Memory Mapped File | rwx |
|
|
|
- |
| _ssl.pyd | 0x6b350000 | 0x6b4acfff | Memory Mapped File | rwx |
|
|
|
- |
| _sqlite3.pyd | 0x6e170000 | 0x6e17ffff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x6e710000 | 0x6e71bfff | Memory Mapped File | rwx |
|
|
|
- |
| _socket.pyd | 0x6e720000 | 0x6e72efff | Memory Mapped File | rwx |
|
|
|
- |
| _ctypes.pyd | 0x6ee80000 | 0x6ee99fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x704a0000 | 0x704a5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr90.dll | 0x713b0000 | 0x71452fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x71f10000 | 0x71f12fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x736b0000 | 0x736e7fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x737c0000 | 0x737c6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x737d0000 | 0x737ebfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74960000 | 0x74964fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74bf0000 | 0x74c2afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74cd0000 | 0x74d13fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74e00000 | 0x74e05fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74e10000 | 0x74e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74e50000 | 0x74e65fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75420000 | 0x7553cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75830000 | 0x76479fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | 32.00 KB |
MD5:
b7c14ec6110fa820ca6b65f5aec85911
SHA1: 608eeb7488042453c9ca40f7e1398fc1a270f3f4 SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb SSDeep: 3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX |
|
|
| c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | 18.00 KB |
MD5:
29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e SSDeep: 24:LLijhJ0KL7G0TMJHUyyJtmCm0u6lOKQAE9V8FsffDVOzeCmly6UwcTa/HMQW:wz+JH3yJUhJCVE9V8FsXhFlNU1Ts3W |
|
|
| c:\users\eebsym5\appdata\local\temp\mybrs.log | 0.44 KB |
MD5:
377177eb667fc31310cdb419f8bd0f7e
SHA1: 35e3ca98b5c49caa247124c0d59371b5c78c8fba SHA256: d26f31f843b61ace4513d28f98424e24acc9e89b0520e211a3d8b7100a28b4ce SSDeep: 12:qrgteH0H2M+LNhPibo+zcMEuKFaJg7ndc1K:IKONhKF/EuKFaJimK |
|
|
| c:\users\eebsym5\appdata\local\temp\9r5qk2 | 0.00 KB |
MD5:
3f1d1d8d87177d3d8d897d7e421f84d6
SHA1: dd082d742a5cb751290f1db2bd519c286aa86d95 SHA256: f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2 SSDeep: 3:qn:qn |
|
|
| c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | 7.00 KB |
MD5:
e0005de376874498d2f66f6503cf1399
SHA1: baec963b5918094a50a4b08292bb230eeebd6897 SHA256: 32812d196066c99bf3852fad78b00063dc68e6cc5fb26ae6c862c8c5777d51b0 SSDeep: 48:tNecVTgPOpEveoJZFrU10WBcPz9K4t9EiDYo:tVSNDX2AK4t9p |
|
|
| c:\users\eebsym5\appdata\local\temp\mybrs.log | 0.13 KB |
MD5:
a4aa7ec6ac16506a35f56d57e1d1f51f
SHA1: 8cdd756595a2431228ff25b615ed50de783dc365 SHA256: d6ab363af3135a13c026ba865909a83010f2c1ce4f40ceecd61aedd649a80c47 SSDeep: 3:dXAaI+n4t+divXf4hQgFu5wWDl7Qp4EaKC50HE9jnI0ZAFyn:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZx |
|
|
| c:\users\eebsym5\appdata\local\temp\mybrs.log | 0.36 KB |
MD5:
4e8a981abf12a8d545be3921c4a72102
SHA1: d7668647c81060e2346aa8d2a515f0914337853d SHA256: 665ac4f11caaab2e42eeb26d61d003c12df62d45014be29413cca90d45ff08d2 SSDeep: 6:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZUaI+oXf4LHthUUDGbbTAaI+oXf4zcMEuKFbn:qrgteH0H2M+LNhPibo+zcMEuKFb |
|
|
| c:\users\eebsym5\appdata\local\temp\mybrs.log | 0.24 KB |
MD5:
5c8b016bbcb1cbf277be5e98740e7d94
SHA1: 722545a1a7fd6ed18658119024d8ff09019278b6 SHA256: 5414514a3c32f3d02be8258a4c7f8588161414b84c5101e4571d058352b9f455 SSDeep: 6:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZUaI+oXf4LHthUUDGbbZ:qrgteH0H2M+LNhPibd |
|
|
Host Behavior
File (714)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1 | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | file_attributes = _O_RDONLY | _O_BINARY |
|
114 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.py | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyw | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyc | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ctypes.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_socket.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ssl.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_hashlib.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.py | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyw | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyc | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\9r5qk2 | file_attributes = _O_RDWR, _O_NOINHERIT, _O_CREAT, _O_EXCL |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_sqlite3.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.py | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyw | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyc | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.py | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyw | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyc | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Crypto.Cipher._DES3.pyd | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | file_attributes = _O_WRONLY | _O_BINARY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | file_attributes = _O_WRONLY | _O_BINARY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini | file_attributes = _O_RDONLY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\mybrs.log | file_attributes = _O_WRONLY | _O_APPEND |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt | file_attributes = _O_RDONLY |
|
1 | |
| Create | c:\users\eebsym5\appdata\local\temp\mybrs.log | file_attributes = _O_RDONLY |
|
1 | |
| Add Search Path | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 | - |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | type = file_type |
|
3 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE?4045510 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\eggs | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\uuid | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\uuid.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\uuid | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\uuid.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\Wbem\uuid | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\Wbem\uuid.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\uuid | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\uuid.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\rpcrt4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\advapi32 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\crypt32 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\kernel32 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\msvcrt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\vaultcli | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
3 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | type = file_attributes |
|
2 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | type = file_attributes |
|
2 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-journal | type = file_attributes |
|
2 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | type = size, size_out = 0 |
|
5 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies | type = file_attributes |
|
3 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | type = file_attributes |
|
2 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | type = file_attributes |
|
2 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal | type = file_attributes |
|
39 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | type = size, size_out = 0 |
|
116 | |
| Get Info | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal | type = file_attributes |
|
39 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db | type = size, size_out = 0 |
|
5 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-journal | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite | type = size, size_out = 0 |
|
22 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | type = size, size_out = 0 |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Ntdll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\INetCookies\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\ | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 512, size_out = 96 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 1024, size_out = 1024 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 512, size_out = 408 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4, size_out = 4 |
|
4 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 17308, size_out = 17307 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 8304, size_out = 8304 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5695, size_out = 5695 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 950, size_out = 950 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1405, size_out = 1405 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5838, size_out = 5838 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1679, size_out = 1679 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1232, size_out = 1232 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2980, size_out = 2980 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 7452, size_out = 7452 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2528, size_out = 2528 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2508, size_out = 2508 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2369, size_out = 2369 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2112, size_out = 2112 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 10519, size_out = 10519 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 3084, size_out = 3084 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 6930, size_out = 6930 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1042, size_out = 1042 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 8711, size_out = 8711 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 3498, size_out = 3498 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 7006, size_out = 7006 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1810, size_out = 1810 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 6021, size_out = 6021 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5151, size_out = 5151 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5480, size_out = 5480 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 8274, size_out = 8274 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2699, size_out = 2699 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 9252, size_out = 9252 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1181, size_out = 1181 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5906, size_out = 5906 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 14670, size_out = 14670 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 3385, size_out = 3385 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 7428, size_out = 7428 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1693, size_out = 1693 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 10202, size_out = 10202 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1746, size_out = 1746 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 3203, size_out = 3203 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 12277, size_out = 12277 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 12852, size_out = 12852 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4924, size_out = 4924 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 6800, size_out = 6800 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1806, size_out = 1806 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4422, size_out = 4422 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 6260, size_out = 6260 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 19217, size_out = 19217 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 911, size_out = 911 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4500, size_out = 4500 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2295, size_out = 2295 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 71, size_out = 71 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4399, size_out = 4399 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2346, size_out = 2346 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1001, size_out = 1001 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 405, size_out = 405 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4583, size_out = 4583 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 101, size_out = 101 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1092, size_out = 1092 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 7762, size_out = 7762 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1706, size_out = 1706 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4354, size_out = 4354 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4959, size_out = 4959 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1147, size_out = 1147 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5548, size_out = 5548 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5882, size_out = 5882 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 9029, size_out = 9029 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 231, size_out = 231 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 90, size_out = 90 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 94, size_out = 94 |
|
3 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 611, size_out = 611 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 975, size_out = 975 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 438, size_out = 438 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 11182, size_out = 11182 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1952, size_out = 1952 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 18653, size_out = 18653 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4608, size_out = 4608 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 13594, size_out = 13594 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1036, size_out = 1036 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 91, size_out = 91 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 659, size_out = 659 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 489, size_out = 489 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 89, size_out = 89 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 6511, size_out = 6511 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 298, size_out = 298 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4718, size_out = 4718 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 225, size_out = 225 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 3235, size_out = 3235 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1369, size_out = 1369 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1398, size_out = 1398 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 14981, size_out = 14981 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2463, size_out = 2463 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 22528, size_out = 22528 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 407, size_out = 407 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 5495, size_out = 5495 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2166, size_out = 2166 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2246, size_out = 2246 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 343, size_out = 343 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 358, size_out = 358 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 597, size_out = 597 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 425, size_out = 425 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 35306, size_out = 35306 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 660, size_out = 660 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1391, size_out = 1391 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 462, size_out = 462 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1393, size_out = 1393 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1038, size_out = 1038 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2026, size_out = 2026 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 2192, size_out = 2192 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1997, size_out = 1997 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 4370, size_out = 4370 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 15741, size_out = 15741 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 752, size_out = 752 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State | size = 67148, size_out = 67147 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data | size = 16384, size_out = 2048 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data | size = 16384, size_out = 0 |
|
1 | |
| Read | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | size = 100, size_out = 100 |
|
1 | |
| Read | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | size = 2048, size_out = 2048 |
|
2 | |
| Read | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies | size = 16384, size_out = 7168 |
|
1 | |
| Read | C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies | size = 16384, size_out = 0 |
|
1 | |
| Read | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | size = 100, size_out = 100 |
|
1 | |
| Read | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | size = 1024, size_out = 1024 |
|
2 | |
| Read | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | size = 16, size_out = 16 |
|
38 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db | size = 100, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 60, size_out = 60 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 18, size_out = 18 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 20, size_out = 20 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 11, size_out = 11 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 52, size_out = 52 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 14, size_out = 14 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 1, size_out = 1 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db | size = 7, size_out = 7 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite | size = 32768, size_out = 32768 |
|
3 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt | size = 8192, size_out = 89 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt | size = 8192, size_out = 101 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt | size = 8192, size_out = 73 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt | size = 8192, size_out = 554 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt | size = 8192, size_out = 102 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt | size = 8192, size_out = 282 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt | size = 8192, size_out = 223 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt | size = 8192, size_out = 515 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt | size = 8192, size_out = 264 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt | size = 8192, size_out = 112 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt | size = 8192, size_out = 92 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt | size = 8192, size_out = 456 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt | size = 8192, size_out = 130 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[2].txt | size = 8192, size_out = 281 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt | size = 8192, size_out = 271 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt | size = 8192, size_out = 534 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt | size = 8192, size_out = 202 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt | size = 8192, size_out = 383 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt | size = 8192, size_out = 75 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt | size = 8192, size_out = 117 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt | size = 8192, size_out = 168 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt | size = 8192, size_out = 1006 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1409, size_out = 1409 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE | size = 1235, size_out = 1235 |
|
1 | |
| Read | c:\users\eebsym5\appdata\local\temp\mybrs.log | size = 453, size_out = 448 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\9r5qk2 | size = 4 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | size = 16384 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | size = 2048 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | size = 7168 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\mybrs.log | size = 132 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\mybrs.log | size = 108 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\mybrs.log | size = 123 |
|
1 | |
| Write | c:\users\eebsym5\appdata\local\temp\mybrs.log | size = 85 |
|
1 | |
| Delete | c:\users\eebsym5\appdata\local\temp\9r5qk2 | - |
|
1 | |
| Delete | c:\users\eebsym5\appdata\local\temp\fvwresvqqzq | - |
|
1 | |
| Delete | c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal | - |
|
1 | |
| Delete | c:\users\eebsym5\appdata\local\temp\mybrs.log | - |
|
1 |
Registry (11)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\PythonPath | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\PythonPath | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\pyimod00_crypto_key | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\pyimod00_crypto_key | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\fcntl | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\fcntl | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\pwd | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\pwd | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\grp | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\grp | - |
|
1 |
Module (137)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x71f10000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76910000 |
|
5 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll | base_address = 0x6a9b0000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ctypes.pyd | base_address = 0x6ee80000 |
|
1 | |
| Load | rpcrt4 | base_address = 0x75680000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_socket.pyd | base_address = 0x6e720000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ssl.pyd | base_address = 0x6b350000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_hashlib.pyd | base_address = 0x6a8b0000 |
|
1 | |
| Load | advapi32 | base_address = 0x769f0000 |
|
1 | |
| Load | crypt32 | base_address = 0x75420000 |
|
1 | |
| Load | msvcrt | base_address = 0x76a90000 |
|
1 | |
| Load | vaultcli | base_address = 0x6e710000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_sqlite3.pyd | base_address = 0x6e170000 |
|
1 | |
| Load | C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Crypto.Cipher._DES3.pyd | base_address = 0x10000000 |
|
1 | |
| Load | Ntdll | base_address = 0x77230000 |
|
1 | |
| Load | C:\Windows\system32\ws2_32 | base_address = 0x77380000 |
|
1 | |
| Load | api-ms-win-appmodel-runtime-l1-1-1 | base_address = 0x0 |
|
2 | |
| Load | ext-ms-win-kernel32-package-current-l1-1-0 | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76910000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x769f0000 |
|
1 | |
| Get Handle | c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe | base_address = 0x1250000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 260 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 |
|
1 | |
| Get Filename | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, size = 256 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 256 |
|
1 | |
| Get Address | c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7696418d |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x769676e6 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76961e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7699f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateActCtxW, address_out = 0x76955d0f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ActivateActCtx, address_out = 0x76955911 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentActCtx, address_out = 0x7694bf9d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeactivateActCtx, address_out = 0x76955942 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = AddRefActCtx, address_out = 0x7694bffb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReleaseActCtx, address_out = 0x76957347 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_DontWriteBytecodeFlag, address_out = 0x6ac2f250 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_FileSystemDefaultEncoding, address_out = 0x6abd2c6c |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_FrozenFlag, address_out = 0x6ac2f248 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_IgnoreEnvironmentFlag, address_out = 0x6ac2f234 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_NoSiteFlag, address_out = 0x6ac2f244 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_NoUserSiteDirectory, address_out = 0x6ac2ef68 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_OptimizeFlag, address_out = 0x6ac2ef0c |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_VerboseFlag, address_out = 0x6ac2f230 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_BuildValue, address_out = 0x6aadbdb0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_DecRef, address_out = 0x6aa73470 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_Finalize, address_out = 0x6aaec1d0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_IncRef, address_out = 0x6aa73460 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_Initialize, address_out = 0x6aaec1c0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_SetProgramName, address_out = 0x6aaec4f0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = Py_SetPythonHome, address_out = 0x6aaec520 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyDict_GetItemString, address_out = 0x6aa55330 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyErr_Clear, address_out = 0x6aacd780 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyErr_Occurred, address_out = 0x6aacd330 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyErr_Print, address_out = 0x6aaecfb0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyImport_AddModule, address_out = 0x6aad4770 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyImport_ExecCodeModule, address_out = 0x6aad4850 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyImport_ImportModule, address_out = 0x6aad6550 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyList_Append, address_out = 0x6aa67500 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyList_New, address_out = 0x6aa670e0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyLong_AsLong, address_out = 0x6aa6b5d0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyModule_GetDict, address_out = 0x6aa72f30 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyObject_CallFunction, address_out = 0x6aa3d580 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyObject_SetAttrString, address_out = 0x6aa74630 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyRun_SimpleString, address_out = 0x6aaee9a0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyString_FromString, address_out = 0x6aa7a820 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyString_FromFormat, address_out = 0x6aa7b080 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PySys_AddWarnOption, address_out = 0x6aaf33e0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PySys_SetArgvEx, address_out = 0x6aaf4140 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PySys_GetObject, address_out = 0x6aaf2440 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PySys_SetObject, address_out = 0x6aaf2500 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PySys_SetPath, address_out = 0x6aaf4060 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyEval_EvalCode, address_out = 0x6aabbd80 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll | function = PyMarshal_ReadObjectFromString, address_out = 0x6aada980 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\_ctypes.pyd | function = init_ctypes, address_out = 0x6ee87900 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7695bf00 |
|
1 | |
| Get Address | c:\windows\system32\rpcrt4.dll | function = UuidCreate, address_out = 0x756a6483 |
|
1 | |
| Get Address | c:\windows\system32\rpcrt4.dll | function = UuidCreateSequential, address_out = 0x7569b8b0 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\_socket.pyd | function = init_socket, address_out = 0x6e725790 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\_ssl.pyd | function = init_ssl, address_out = 0x6b356600 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\_hashlib.pyd | function = init_hashlib, address_out = 0x6a8b2200 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x769f91dd |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenRandom, address_out = 0x769fdfc8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RevertToSelf, address_out = 0x76a01562 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ImpersonateLoggedOnUser, address_out = 0x769fc57a |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = DuplicateTokenEx, address_out = 0x769fca24 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x76a0418e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x76a0404a |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertSidToStringSidA, address_out = 0x76a2192a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LocalAlloc, address_out = 0x76963363 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetTokenInformation, address_out = 0x76a0431c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenProcess, address_out = 0x769559d7 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = OpenProcessToken, address_out = 0x76a04304 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7695ca7c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateA, address_out = 0x76a37381 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredFree, address_out = 0x769fb2ec |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x76a99910 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LocalFree, address_out = 0x7695ca64 |
|
1 | |
| Get Address | c:\windows\system32\crypt32.dll | function = CryptUnprotectData, address_out = 0x75455a7f |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultEnumerateVaults, address_out = 0x6e712945 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultOpenVault, address_out = 0x6e7126a9 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x6e713099 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultGetItem, address_out = 0x6e713242 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultFree, address_out = 0x6e714321 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultCloseVault, address_out = 0x6e712718 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\_sqlite3.pyd | function = init_sqlite3, address_out = 0x6e175c10 |
|
1 | |
| Get Address | c:\users\eebsym5\appdata\local\temp\_mei29~1\crypto.cipher._des3.pyd | function = init_DES3, address_out = 0x100026d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlGetVersion, address_out = 0x772965e3 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = getaddrinfo, address_out = 0x77384296 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = getnameinfo, address_out = 0x773867b7 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = freeaddrinfo, address_out = 0x77384b1b |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, protection = PAGE_READWRITE, maximum_size = 32768 |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm | process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:09:14 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = _MEIPASS2, result_out = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 |
|
1 | |
| Set Environment String | name = _MEIPASS2 |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = 0x0x.co, address_out = 104.217.54.142, service = 80 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 2.18 KB |
| Total Data Received | 520 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 104.217.54.142:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x204 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_IP |
| Remote Address | 104.217.54.142 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49160 |
| Data Sent | 2.18 KB |
| Data Received | 520 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.217.54.142, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 2237, size_out = 2237 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
191 | |
| Receive | flags = NO_FLAG_SET, size = 322, size_out = 322 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
5 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #7: jrsi6vakyydz.exe
183
7
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe |
| Command Line | "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:01:43, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
0x
C04
0x
C08
0x
C0C
0x
C10
0x
C14
0x
C18
0x
C1C
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C80
0x
C84
0x
CB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x004c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rpcss.dll | 0x005e0000 | 0x0063bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | - |
|
|
|
- |
| l_intl.nls | 0x005f0000 | 0x005f2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00631fff | Pagefile Backed Memory | r |
|
|
|
- |
| sorttbls.nlp | 0x00640000 | 0x00644fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x00700000 | 0x00740fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0076ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00796fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00980000 | 0x00c4efff | Memory Mapped File | r |
|
|
|
- |
| jrsi6vakyydz.exe | 0x00ca0000 | 0x00cdbfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x018dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000018e0000 | 0x018e0000 | 0x038dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003960000 | 0x03960000 | 0x03a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a60000 | 0x03a60000 | 0x03b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a60000 | 0x03a60000 | 0x03b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x03b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003b50000 | 0x03b50000 | 0x03c2efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003c70000 | 0x03c70000 | 0x03d6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003d70000 | 0x03d70000 | 0x04162fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x04170000 | 0x0422ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004250000 | 0x04250000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x0448ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.ni.dll | 0x68aa0000 | 0x6967dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x69680000 | 0x69e1bfff | Memory Mapped File | rwx |
|
|
|
- |
| wminet_utils.dll | 0x6a310000 | 0x6a318fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x6b280000 | 0x6b383fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x6b870000 | 0x6bda5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.dll | 0x6b8e0000 | 0x6bdadfff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x6bdb0000 | 0x6bf37fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x6bf40000 | 0x6ca37fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x6ca40000 | 0x6cfeafff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.ni.dll | 0x6de90000 | 0x6df80fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6e180000 | 0x6e21afff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x6e880000 | 0x6e896fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x6ebe0000 | 0x6ebe9fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x6efd0000 | 0x6efd4fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x6f7c0000 | 0x6f81bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x6f900000 | 0x6f95afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6f960000 | 0x6f9d7fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fcf0000 | 0x6fd3efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd40000 | 0x6fd97fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x704a0000 | 0x704a5fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x71de0000 | 0x71e29fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x725f0000 | 0x72604fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x72610000 | 0x72661fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x73390000 | 0x7339cfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x73670000 | 0x73681fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x73690000 | 0x7369cfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x736b0000 | 0x736e7fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x737c0000 | 0x737c6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x737d0000 | 0x737ebfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74960000 | 0x74964fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x74b20000 | 0x74b27fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74bf0000 | 0x74c2afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74cd0000 | 0x74d13fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74e00000 | 0x74e05fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74e10000 | 0x74e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74e50000 | 0x74e65fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74f80000 | 0x74f96fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75370000 | 0x7537dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75380000 | 0x7538afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75590000 | 0x755b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75830000 | 0x76479fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ff50000 | 0x7ff50000 | 0x7ff5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007ff60000 | 0x7ff60000 | 0x7ffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 12 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe | 213.50 KB |
MD5:
1e8073f6a1421490fc093196e4eb884e
SHA1: 25b6296a419e8471ec899b8e1996fb20c5845c22 SHA256: d9a967d0caa8db86feca3ae469ef6797e81dfdac4d8531658cb242a87c80ce05 SSDeep: 6144:q+8ZepOGuDnw9tOJavXhe9Tedm/8b1tnzwa:qjZepgDj44Iyctnx |
|
|
Host Behavior
COM (9)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
3 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\SecurityCenter2 |
|
1 |
File (27)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\Realtek | - |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.config | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Realtek | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5 | type = file_attributes |
|
1 | |
| Get Info | C:\Users | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe | type = file_attributes |
|
1 | |
| Copy | C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe | source_filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 554 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe:Zone.Identifier | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe:Zone.Identifier | - |
|
1 |
Registry (21)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" /rl HIGHEST /f | os_pid = 0xc88, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" | os_pid = 0xca0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (52)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll | base_address = 0x6a310000 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ResetSecurity, address_out = 0x6a311944 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SetSecurity, address_out = 0x6a311986 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServices, address_out = 0x6a3119cc |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BlessIWbemServicesObject, address_out = 0x6a311a1e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyHandle, address_out = 0x6a311a70 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = WritePropertyValue, address_out = 0x6a311a89 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Clone, address_out = 0x6a311aa2 |
|
2 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = VerifyClientKey, address_out = 0x6a312270 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetQualifierSet, address_out = 0x6a311d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Get, address_out = 0x6a311b96 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Put, address_out = 0x6a311b7a |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Delete, address_out = 0x6a311bb5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetNames, address_out = 0x6a311bc8 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginEnumeration, address_out = 0x6a311be4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = Next, address_out = 0x6a311bf7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndEnumeration, address_out = 0x6a311c16 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyQualifierSet, address_out = 0x6a311c26 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetObjectText, address_out = 0x6a311c3c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnDerivedClass, address_out = 0x6a311c52 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = SpawnInstance, address_out = 0x6a311c68 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CompareTo, address_out = 0x6a311c7e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetPropertyOrigin, address_out = 0x6a311c94 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = InheritsFrom, address_out = 0x6a311caa |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethod, address_out = 0x6a311cbd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutMethod, address_out = 0x6a311cd9 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = DeleteMethod, address_out = 0x6a311cf5 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = BeginMethodEnumeration, address_out = 0x6a311d08 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = NextMethod, address_out = 0x6a311d1b |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = EndMethodEnumeration, address_out = 0x6a311d37 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodQualifierSet, address_out = 0x6a311d47 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetMethodOrigin, address_out = 0x6a311d5d |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Get, address_out = 0x6a311d86 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Put, address_out = 0x6a311da2 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Delete, address_out = 0x6a311dbb |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_GetNames, address_out = 0x6a311dce |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_Next, address_out = 0x6a311df7 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetCurrentApartmentType, address_out = 0x6a311d73 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = GetDemultiplexedStub, address_out = 0x6a3118fd |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateInstanceEnumWmi, address_out = 0x6a311580 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CreateClassEnumWmi, address_out = 0x6a3115f6 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecQueryWmi, address_out = 0x6a31169e |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ExecNotificationQueryWmi, address_out = 0x6a311717 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutInstanceWmi, address_out = 0x6a311790 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = PutClassWmi, address_out = 0x6a311810 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = CloneEnumWbemClassObject, address_out = 0x6a311890 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll | function = ConnectServerWmi, address_out = 0x6a3124b7 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe, desired_access = FILE_MAP_WRITE |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
1 | |
| Get Info | type = Operating System |
|
7 |
Mutex (34)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = QSR_MUTEX_QSHCFbGIqN10lIdkUq |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = api.ipstack.com, address_out = 198.23.101.146, 158.85.167.221 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 204 bytes |
| Total Data Received | 966 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | api.ipstack.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0 |
| Server Name | api.ipstack.com |
| Server Port | 80 |
| Data Sent | 204 |
| Data Received | 966 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = api.ipstack.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml |
|
1 | |
| Send HTTP Request | headers = host: api.ipstack.com, connection: Keep-Alive, user-agent: Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, url = api.ipstack.com/check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml |
|
1 | |
| Read Response | size = 4096, size_out = 966 |
|
1 | |
| Close Session | - |
|
1 |
Process #9: schtasks.exe
19
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" /rl HIGHEST /f |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:40, Reason: Child Process |
| Unmonitor | End Time: 00:01:42, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc88 |
| Parent PID | 0xbf4 (c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C8C
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00090000 | 0x000f6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00106fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x002d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x002f0000 | 0x00301fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00320fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00460000 | 0x0072efff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x00730000 | 0x0078bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x0080efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x00f60000 | 0x00f8dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| ktmw32.dll | 0x734c0000 | 0x734c8fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x739e0000 | 0x73a5cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x73e80000 | 0x73eaefff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 585328, domain = 16161102, password = 3280523264 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_LOGON, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-08-10T02:09:00 |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x748d0000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x769f0000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0xf60000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748d19d9 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x748d19f4 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x748d1b51 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x76a0157a |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:09:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 154924 |
|
1 | |
| Get Time | type = Local Time, time = 2018-08-10 02:09:34 (Local Time) |
|
1 |
Process #10: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {7737867F-ACDD-43AC-B745-B8B549957EED} S-1-5-21-3785418085-2572485238-895829336-1000:CRH2YWU7\EEBsYm5:Interactive:Highest[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:40, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:02:45 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x58c |
| Parent PID | 0x358 (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A28
0x
2A8
0x
5E0
0x
5A0
0x
594
0x
590
0x
DE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00300fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x009a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b30000 | 0x00dfefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00f2efff | Pagefile Backed Memory | r |
|
|
|
- |
| taskeng.exe | 0x00f30000 | 0x00f5ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x01bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01d8ffff | Private Memory | rw |
|
|
|
- |
| tschannel.dll | 0x70500000 | 0x70507fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x73e80000 | 0x73eaefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73eb0000 | 0x73ec2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74bf0000 | 0x74c2afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74e50000 | 0x74e65fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75370000 | 0x7537dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Process #11: realtekaudio.exe
151
16
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe |
| Command Line | "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca0 |
| Parent PID | 0xbf4 (c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA4
0x
CA8
0x
CAC
0x
CB8
0x
CBC
0x
CC0
0x
CC4
0x
CC8
0x
CCC
0x
CD0
0x
CD4
0x
CD8
0x
CDC
0x
CE0
0x
CE4
0x
CE8
0x
D5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | - |
|
|
|
- |
| l_intl.nls | 0x00190000 | 0x00192fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x00377fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00541fff | Pagefile Backed Memory | r |
|
|
|
- |
| sorttbls.nlp | 0x00550000 | 0x00554fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | rwx |
|
|
|
- |
| rpcss.dll | 0x005a0000 | 0x005fbfff | Memory Mapped File | r |
|
|
|
- |
| sortkey.nlp | 0x005a0000 | 0x005e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00756fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00761fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x0098efff | Pagefile Backed Memory | r |
|
|
|
- |
| realtekaudio.exe | 0x009f0000 | 0x00a2bfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x0162ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001670000 | 0x01670000 | 0x0176ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001780000 | 0x01780000 | 0x0178ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001830000 | 0x01830000 | 0x0192ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01930000 | 0x01bfefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x03bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c00000 | 0x03c00000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x03c00000 | 0x03cbffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003da0000 | 0x03da0000 | 0x03e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003ea0000 | 0x03ea0000 | 0x04292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0441ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0469ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| system.xml.ni.dll | 0x68560000 | 0x68a95fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.dll | 0x685d0000 | 0x68a9dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x68aa0000 | 0x6967dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x69680000 | 0x69e1bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.ni.dll | 0x6bcb0000 | 0x6bda0fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x6bdb0000 | 0x6bf37fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x6bf40000 | 0x6ca37fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x6ca40000 | 0x6cfeafff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x6de80000 | 0x6df83fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x6e010000 | 0x6e014fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x6e180000 | 0x6e21afff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x6e880000 | 0x6e896fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x6ebe0000 | 0x6ebe9fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x6f7c0000 | 0x6f81bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x6f900000 | 0x6f95afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x6f960000 | 0x6f9d7fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x6fcf0000 | 0x6fd3efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x6fd40000 | 0x6fd97fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x704a0000 | 0x704a5fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x71de0000 | 0x71e29fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x725f0000 | 0x72604fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x72610000 | 0x72661fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x73390000 | 0x7339cfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x73670000 | 0x73681fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x73690000 | 0x7369cfff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x736b0000 | 0x736e7fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x737c0000 | 0x737c6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x737d0000 | 0x737ebfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74960000 | 0x74964fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x74b20000 | 0x74b27fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74bf0000 | 0x74c2afff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74cd0000 | 0x74d13fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74e00000 | 0x74e05fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74e10000 | 0x74e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74e50000 | 0x74e65fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74f80000 | 0x74f96fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75370000 | 0x7537dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75380000 | 0x7538afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75590000 | 0x755b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75810000 | 0x75815fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75830000 | 0x76479fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x77380000 | 0x773b4fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ff50000 | 0x7ff50000 | 0x7ff5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007ff60000 | 0x7ff60000 | 0x7ffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 15 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (9)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
3 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\SecurityCenter2 |
|
1 |
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.config | type = file_attributes |
|
2 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
2 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe:Zone.Identifier | - |
|
1 |
Registry (21)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f | os_pid = 0xcec, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (54)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll | base_address = 0x6a310000 |
|
1 | |
| Get Handle | c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe | base_address = 0x9f0000 |
|
2 | |
| Get Address | Unknown module name | function = ResetSecurity, address_out = 0x6a311944 |
|
1 | |
| Get Address | Unknown module name | function = SetSecurity, address_out = 0x6a311986 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServices, address_out = 0x6a3119cc |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServicesObject, address_out = 0x6a311a1e |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyHandle, address_out = 0x6a311a70 |
|
1 | |
| Get Address | Unknown module name | function = WritePropertyValue, address_out = 0x6a311a89 |
|
1 | |
| Get Address | Unknown module name | function = Clone, address_out = 0x6a311aa2 |
|
2 | |
| Get Address | Unknown module name | function = VerifyClientKey, address_out = 0x6a312270 |
|
1 | |
| Get Address | Unknown module name | function = GetQualifierSet, address_out = 0x6a311d73 |
|
1 | |
| Get Address | Unknown module name | function = Get, address_out = 0x6a311b96 |
|
1 | |
| Get Address | Unknown module name | function = Put, address_out = 0x6a311b7a |
|
1 | |
| Get Address | Unknown module name | function = Delete, address_out = 0x6a311bb5 |
|
1 | |
| Get Address | Unknown module name | function = GetNames, address_out = 0x6a311bc8 |
|
1 | |
| Get Address | Unknown module name | function = BeginEnumeration, address_out = 0x6a311be4 |
|
1 | |
| Get Address | Unknown module name | function = Next, address_out = 0x6a311bf7 |
|
1 | |
| Get Address | Unknown module name | function = EndEnumeration, address_out = 0x6a311c16 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyQualifierSet, address_out = 0x6a311c26 |
|
1 | |
| Get Address | Unknown module name | function = GetObjectText, address_out = 0x6a311c3c |
|
1 | |
| Get Address | Unknown module name | function = SpawnDerivedClass, address_out = 0x6a311c52 |
|
1 | |
| Get Address | Unknown module name | function = SpawnInstance, address_out = 0x6a311c68 |
|
1 | |
| Get Address | Unknown module name | function = CompareTo, address_out = 0x6a311c7e |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyOrigin, address_out = 0x6a311c94 |
|
1 | |
| Get Address | Unknown module name | function = InheritsFrom, address_out = 0x6a311caa |
|
1 | |
| Get Address | Unknown module name | function = GetMethod, address_out = 0x6a311cbd |
|
1 | |
| Get Address | Unknown module name | function = PutMethod, address_out = 0x6a311cd9 |
|
1 | |
| Get Address | Unknown module name | function = DeleteMethod, address_out = 0x6a311cf5 |
|
1 | |
| Get Address | Unknown module name | function = BeginMethodEnumeration, address_out = 0x6a311d08 |
|
1 | |
| Get Address | Unknown module name | function = NextMethod, address_out = 0x6a311d1b |
|
1 | |
| Get Address | Unknown module name | function = EndMethodEnumeration, address_out = 0x6a311d37 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodQualifierSet, address_out = 0x6a311d47 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodOrigin, address_out = 0x6a311d5d |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Get, address_out = 0x6a311d86 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Put, address_out = 0x6a311da2 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Delete, address_out = 0x6a311dbb |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_GetNames, address_out = 0x6a311dce |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Next, address_out = 0x6a311df7 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentApartmentType, address_out = 0x6a311d73 |
|
1 | |
| Get Address | Unknown module name | function = GetDemultiplexedStub, address_out = 0x6a3118fd |
|
1 | |
| Get Address | Unknown module name | function = CreateInstanceEnumWmi, address_out = 0x6a311580 |
|
1 | |
| Get Address | Unknown module name | function = CreateClassEnumWmi, address_out = 0x6a3115f6 |
|
1 | |
| Get Address | Unknown module name | function = ExecQueryWmi, address_out = 0x6a31169e |
|
1 | |
| Get Address | Unknown module name | function = ExecNotificationQueryWmi, address_out = 0x6a311717 |
|
1 | |
| Get Address | Unknown module name | function = PutInstanceWmi, address_out = 0x6a311790 |
|
1 | |
| Get Address | Unknown module name | function = PutClassWmi, address_out = 0x6a311810 |
|
1 | |
| Get Address | Unknown module name | function = CloneEnumWbemClassObject, address_out = 0x6a311890 |
|
1 | |
| Get Address | Unknown module name | function = ConnectServerWmi, address_out = 0x6a3124b7 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe, desired_access = FILE_MAP_WRITE |
|
1 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 1991594109 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 8850562 |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
1 | |
| Get Info | type = Operating System |
|
7 |
Mutex (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = QSR_MUTEX_QSHCFbGIqN10lIdkUq |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
9 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | - |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
9 |
Network Behavior
DNS (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = api.ipstack.com, address_out = 198.23.101.146, 158.85.167.221 |
|
1 | |
| Resolve Name | host = r3m0te.65cdn.com, address_out = 104.207.155.61 |
|
7 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 204 bytes |
| Total Data Received | 966 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | api.ipstack.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0 |
| Server Name | api.ipstack.com |
| Server Port | 80 |
| Data Sent | 204 |
| Data Received | 966 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = api.ipstack.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml |
|
1 | |
| Send HTTP Request | headers = host: api.ipstack.com, connection: Keep-Alive, user-agent: Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, url = api.ipstack.com/check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml |
|
1 | |
| Read Response | size = 4096, size_out = 966 |
|
1 | |
| Close Session | - |
|
3 |
Process #12: schtasks.exe
19
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f |
| Initial Working Directory | C:\Users\EEBsYm5\Desktop\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0xca0 (c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF0
0x
D00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x000e0000 | 0x000f1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00160000 | 0x001bbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x002a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| schtasks.exe | 0x002f0000 | 0x0031dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01180000 | 0x0144efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x015affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001450000 | 0x01450000 | 0x0152efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001570000 | 0x01570000 | 0x015affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001690000 | 0x01690000 | 0x016cffff | Private Memory | rw |
|
|
|
- |
| ktmw32.dll | 0x734c0000 | 0x734c8fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x739e0000 | 0x73a5cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x73e80000 | 0x73eaefff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x741e0000 | 0x7421ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748d0000 | 0x748d8fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x752b0000 | 0x752cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x752d0000 | 0x752dbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75540000 | 0x75589fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75680000 | 0x75720fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75780000 | 0x75802fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76480000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76490000 | 0x764aefff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76750000 | 0x768abfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76910000 | 0x769e3fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x769f0000 | 0x76a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76a90000 | 0x76b3bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76b40000 | 0x76c08fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c10000 | 0x76c9efff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ca0000 | 0x76d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76e10000 | 0x76e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77230000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x773c0000 | 0x773d8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773e0000 | 0x7742dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77470000 | 0x77470fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 1370664, domain = 3119438, password = 3280523264 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_LOGON, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-08-10T02:09:00 |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x748d0000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x769f0000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0x2f0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x748d19d9 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x748d19f4 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x748d1b51 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x76a0157a |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-10 04:09:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 159589 |
|
1 | |
| Get Time | type = Local Time, time = 2018-08-10 02:09:39 (Local Time) |
|
1 |
