8d3f68b1...965b | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Trojan, Ransomware

8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b (SHA256)

FmoAc.exe

Windows Exe (x86-64)

Created at 2018-11-27 19:42:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x910 Analysis Target High (Elevated) fmoac.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" -
#2 0x938 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F #1
#3 0x944 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F #1
#4 0x964 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F #1
#5 0x97c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F #1
#6 0x9a4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F #1
#7 0x9b8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F #1
#8 0xa6c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F #1
#9 0xa80 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F #1
#10 0xabc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F #1
#11 0xadc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F #1
#13 0xb58 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F #1
#14 0xb74 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F #1
#15 0xbfc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F #1
#16 0x78c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F #1
#17 0x840 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F #1
#18 0x824 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F #1
#19 0x7ec Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F #1
#21 0x724 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F #1
#22 0x6a0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F #1
#23 0x4e4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F #1
#24 0x8bc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F #1
#25 0x8e8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F #1
#26 0x8e4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F #1
#27 0x8dc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F #1
#28 0x95c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F #1
#29 0x65c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F #1
#30 0xb70 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F #1
#31 0x834 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F #1
#32 0xc10 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F #1
#33 0xc30 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F #1
#34 0xc8c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F #1
#35 0xcbc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F #1
#36 0xce8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F #1
#37 0xd04 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F #1
#38 0xd44 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F #1
#39 0xd60 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F #1
#40 0xda8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F #1
#41 0xdc0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F #1
#42 0xe04 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F #1
#43 0xe20 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F #1
#44 0xe48 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F #1
#45 0xe68 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F #1
#46 0xea0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F #1
#47 0xec0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F #1
#48 0xf04 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y #1
#49 0xf24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y #1
#50 0xf60 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y #1
#51 0xf78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y #1
#52 0xfb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y #49
#53 0xfb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y #48
#54 0xfc4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y #1
#55 0xfd8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y #1
#56 0x7c0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y #1
#57 0xc18 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y #50
#58 0xc38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y #51
#59 0xcb8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y #1
#60 0xd74 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y #55
#61 0xdb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y #54
#62 0xe28 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y #1
#63 0xe70 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y #1
#64 0xf0c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y #1
#65 0xf2c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y #59
#66 0xfe0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y #1
#67 0xf04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y #56
#68 0xf1c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y #64
#69 0xfb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y #62
#70 0xc2c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y #1
#71 0xcc4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y #63
#72 0xcf0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y #1
#73 0xf78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y #1
#74 0xd74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y #1
#75 0xfc8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y #1
#76 0xe70 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y #1
#77 0xff0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y #74
#78 0xaf4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y #75
#79 0x688 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y #66
#80 0xf68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y #72
#81 0xbc0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y #70
#82 0xbcc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y #73
#83 0xf3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y #1
#84 0x864 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y #1
#85 0x578 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Antivirus /y #1
#86 0x548 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ARSM /y #1
#87 0x518 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcronisAgent /y #83
#88 0xfbc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y #84
#89 0xad0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Antivirus /y #85
#90 0xb08 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y #1
#91 0x6c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y #1
#92 0x898 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y #1
#93 0xfb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ARSM /y #86
#94 0x828 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y #1
#95 0xadc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y #1
#96 0x724 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y #1
#97 0xf94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y #90
#98 0x8e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y #1
#99 0xc94 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop bedbg /y #1
#100 0xb48 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y #94
#101 0xa94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y #91
#102 0x988 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y #92
#103 0xae4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop DCAgent /y #1
#104 0x82c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y #1
#105 0x970 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y #1
#106 0x968 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y #96
#107 0xab8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y #95
#108 0x8ec Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop bedbg /y #99
#109 0x7e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y #98
#110 0x9a0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y #1
#111 0xad4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y #1
#112 0xc20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPSecurityService /y #104
#113 0x9d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop DCAgent /y #103
#114 0x974 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y #1
#115 0x990 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPUpdateService /y #105
#116 0x954 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y #1
#117 0x240 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EsgShKernel /y #111
#118 0xc68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y #110
#119 0x568 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y #1
#120 0xc04 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y #1
#121 0x834 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y #119
#122 0x690 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y #114
#123 0xfc4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IISAdmin /y #116
#124 0xaf0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop masvc /y #1
#125 0xff0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBAMService /y #1
#126 0xbcc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop macmnsvc /y #120
#127 0xde4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y #1
#128 0xdec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y #1
#129 0xf9c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop masvc /y #124
#130 0x838 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBAMService /y #125
#131 0xb5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y #1
#132 0xd8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y #1
#133 0xd30 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McShield /y #1
#134 0x978 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y #127
#135 0xb68 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y #1
#136 0xb3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfemms /y #1
#137 0xdf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y #128
#138 0xd28 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y #131
#139 0xec8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y #132
#140 0xfb4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McShield /y #133
#141 0x850 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfevtp /y #1
#142 0xce4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MMS /y #1
#143 0xffc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y #1
#144 0xc38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McTaskManager /y #135
#145 0xae0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y #1
#146 0xfa8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y #1
#147 0xedc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfemms /y #136
#148 0xba8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfevtp /y #141
#149 0xef4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MMS /y #142
#150 0xe88 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mozyprobackup /y #143
#151 0x8bc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y #1
#152 0x8c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y #1
#153 0xdac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer /y #145
#154 0xdd0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y #1
#155 0xf14 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y #146
#156 0xec0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y #1
#157 0xd08 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y #151
#158 0xd18 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y #1
#159 0xd64 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSA /y #1
#160 0xe24 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y #154
#161 0xc90 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeES /y #152
#162 0xf48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSRS /y #1
#163 0xf00 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y #1
#164 0xccc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y #1
#165 0xdcc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y #156
#166 0xd48 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y #158
#167 0xd9c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y #159
#168 0x210 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y #162
#169 0xe98 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y #1
#170 0xeb8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y #1
#171 0xe08 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y #76
#172 0xdb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y #1
#173 0xe2c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y #163
#174 0xe18 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y #169
#175 0x7e8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y #164
#176 0xcf8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y #1
#177 0xcc8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y #1
#178 0xe78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y #1
#179 0x8e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y #172
#180 0x9c0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y #170
#181 0xa74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y #1
#182 0xbc4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y #1
#183 0xbac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y #176
#184 0xcd4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y #177
#185 0xc18 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y #178
#186 0xb6c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y #1
#187 0xba4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y #1
#188 0x864 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y #1
#189 0xb04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y #182
#190 0xaf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y #186
#191 0xb1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPS /y #1
#192 0xf94 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y #1
#193 0x938 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y #187
#194 0x590 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y #188
#195 0xb48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#196 0x828 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y #1
#197 0x874 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y #192
#198 0xab8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y #181
#199 0x5ac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y #191
#200 0x91c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y #1
#201 0x3b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y #1
#202 0xaa0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y #1
#203 0xb54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #195
#204 0xadc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y #1
#205 0x9a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y #1
#206 0xc6c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y #196
#207 0x9d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher /y #200
#208 0xb18 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y #201
#209 0xae4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y #202
#210 0x98c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y #1
#211 0xa9c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y #1
#212 0xad8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y #1
#213 0xa64 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLSERVER /y #1
#214 0xd00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y #210
#215 0x820 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y #204
#216 0xbc0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y #205
#217 0x6e8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y #1
#218 0xa88 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y #1
#219 0xbd0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y #213
#220 0xdd8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y #212
#221 0xbb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y #211
#222 0xab0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL80 /y #1
#223 0x9b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL57 /y #1
#224 0xfdc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y #218
#225 0xec8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y #217
#226 0x7ac Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ntrtscan /y #1
#227 0xd28 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop OracleClientCache80 /y #1
#228 0xaa4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop PDVFSService /y #1
#229 0xd80 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL80 /y #222
#230 0xe1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop POP3Svc /y #1
#231 0xc58 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer /y #1
#232 0xebc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL57 /y #223
#233 0xb40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ntrtscan /y #226
#234 0x958 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y #227
#235 0xb68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop PDVFSService /y #228
#236 0xac0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y #1
#237 0xba8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y #1
#238 0x6f8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPS /y #1
#239 0xedc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop POP3Svc /y #230
#240 0xf1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y #1
#241 0xce8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer /y #231
#242 0xdb8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop RESvc /y #1
#243 0xd68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y #236
#244 0xae0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y #237
#245 0xed4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sacsvr /y #1
#246 0xe34 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SamSs /y #1
#247 0xdc4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVAdminService /y #1
#248 0x260 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y #240
#249 0xee4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y #238
#250 0xf18 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVService /y #1
#251 0x8c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SDRSVC /y #1
#252 0xb60 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVAdminService /y #247
#253 0x32c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop RESvc /y #242
#254 0x940 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SepMasterService /y #1
#255 0xe54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sacsvr /y #245
#256 0xe4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SamSs /y #246
#257 0x970 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ShMonitor /y #1
#258 0x690 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Smcinst /y #1
#259 0x9cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SepMasterService /y #254
#260 0xc04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVService /y #250
#261 0xf9c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SDRSVC /y #251
#262 0xaf0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SmcService /y #1
#263 0xf88 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SMTPSvc /y #1
#264 0xeac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Smcinst /y #258
#265 0x8f4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ShMonitor /y #257
#266 0x1e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SNAC /y #1
#267 0x6ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SntpService /y #1
#268 0xe00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SmcService /y #262
#269 0xac4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SMTPSvc /y #263
#270 0xf80 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sophossps /y #1
#271 0xc8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y #1
#272 0xe2c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SNAC /y #266
#273 0xcf4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y #1
#274 0xea0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y #1
#275 0xcf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SntpService /y #267
#276 0xfa4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y #1
#277 0xea8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sophossps /y #270
#278 0xe5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y #1
#279 0xda0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y #271
#280 0xbd8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y #274
#281 0x90c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y #273
#282 0x24c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y #1
#283 0xd58 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y #1
#284 0xe48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y #1
#285 0xecc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y #1
#286 0xb6c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y #278
#287 0x578 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y #276
#288 0xfb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y #283
#289 0x94c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y #1
#290 0x988 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y #285
#291 0x7e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y #284
#292 0x848 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y #282
#293 0x874 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y #1
#294 0x878 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#295 0xaac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y #289
#296 0xba0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y #1
#297 0x344 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLBrowser /y #1
#298 0xb4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #294
#299 0xb10 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y #293
#300 0xb24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y #1
#301 0xbf8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y #1
#302 0xb00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLBrowser /y #297
#303 0xb74 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y #296
#304 0x964 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y #1
#305 0xaa0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y #1
#306 0x8e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSERVERAGENT /y #301
#307 0xac8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSafeOLRService /y #300
#308 0x740 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLWriter /y #1
#309 0x82c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SstpSvc /y #1
#310 0xb50 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y #305
#311 0x274 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y #304
#312 0xb44 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop svcGenericHost /y #1
#313 0x9d8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_filter /y #1
#314 0x540 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_service /y #1
#315 0x98c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SstpSvc /y #309
#316 0xd98 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLWriter /y #308
#317 0x810 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update_64 /y #1
#318 0xdd8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TmCCSF /y #1
#319 0xad8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_service /y #314
#320 0x9b0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop svcGenericHost /y #312
#321 0x928 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_filter /y #313
#322 0xc3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop tmlisten /y #1
#323 0x81c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKey /y #1
#324 0xfb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y #1
#325 0xf20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update_64 /y #317
#326 0x688 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y #1
#327 0xcfc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TmCCSF /y #318
#328 0xd8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop UI0Detect /y #1
#329 0xe8c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyScheduler /y #324
#330 0xb68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop tmlisten /y #322
#331 0xab0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKey /y #323
#332 0x994 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y #1
#333 0xebc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y #1
#334 0xc14 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop UI0Detect /y #328
#335 0xd30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y #326
#336 0xd20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y #333
#337 0xf50 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y #332
#338 0x798 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y #1
#339 0xf7c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y #1
#340 0x7f8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y #1
#341 0xfac Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y #1
#342 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y #1
#343 0xee0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y #340
#344 0xb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y #339
#345 0xf78 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y #338
#346 0xe24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamMountSvc /y #1
#347 0xe14 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y #1
#348 0xef8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y #342
#349 0xd10 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y #341
#350 0xf48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y #1
#351 0xe10 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y #1
#352 0x954 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y #347
#353 0x710 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y #346
#354 0x974 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop W3Svc /y #1
#355 0x9cc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#356 0xf34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y #351
#357 0xbfc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y #350
#358 0x940 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop WRSVC /y #1
#359 0x834 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#360 0xf68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #355
#361 0x690 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop W3Svc /y #354
#362 0xd78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#363 0xe40 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y #1
#364 0xc30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop WRSVC /y #358
#365 0xe2c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update /y #1
#366 0x920 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #359
#367 0xd54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #362
#368 0xe08 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y #1
#369 0xf10 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y #1
#370 0xd14 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQL Backups" /y #1
#371 0x6ec Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update /y #365
#372 0xd70 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y #363
#373 0x5f0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROD /y #1
#374 0xc48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y #1
#375 0xc8c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQL Backups" /y #370
#376 0xe04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y #368
#377 0xea0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y #369
#378 0xcc8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y #1
#379 0x69c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y #373
#380 0x424 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y #1
#381 0xd4c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop msftesql$PROD /y #1
#382 0x578 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop NetMsmqActivator /y #1
#383 0xfa4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Zoolz 2 Service" /y #374
#384 0xedc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EhttpSrv /y #1
#385 0xe1c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y #378
#386 0xc58 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y #381
#387 0xac0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y #382
#388 0xfe0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y #380
#389 0xb3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ekrn /y #1
#390 0xf14 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ESHASRV /y #1
#391 0xe34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EhttpSrv /y #384
#392 0xc74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y #1
#393 0x7e4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y #1
#394 0x8c4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ESHASRV /y #390
#395 0xa70 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ekrn /y #389
#396 0xf5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AVP /y #1
#397 0xe68 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop klnagent /y #1
#398 0x7f0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y #392
#399 0xff8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y #393
#400 0x9bc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y #1
#401 0x818 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y #1
#402 0xbf4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#403 0x488 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop kavfsslp /y #1
#404 0xb00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AVP /y #396
#405 0x89c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop klnagent /y #397
#406 0xf54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #402
#407 0xa74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFSGT /y #1
#408 0xa6c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y #400
#409 0x9c8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y #401
#410 0xbf8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFS /y #1
#411 0xb24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfefire /y #1
#412 0x840 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f #1
#413 0x448 Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #1
#414 0x274 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFSGT /y #407
#415 0x7a8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop kavfsslp /y #403
#416 0x968 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFS /y #410
#417 0x91c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfefire /y #411
#418 0x4a4 Injection Medium taskhost.exe "taskhost.exe" #1
#419 0x9c4 Child Process High (Elevated) reg.exe REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f #412
#420 0x59c Injection High (Elevated) taskeng.exe taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#422 0x77c Autostart Medium fmoac.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" -
#423 0x448 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F #422
#424 0x78c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F #422
#425 0x174 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F #422
#426 0x334 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F #422
#427 0x7c8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F #422
#428 0x7b4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F #422
#429 0x784 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F #422
#431 0x5f8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F #422
#432 0x810 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F #422
#433 0x830 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F #422
#434 0x870 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F #422
#435 0x8c4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F #422
#436 0x8f4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F #422
#437 0x920 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F #422
#439 0x96c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F #422
#440 0x984 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F #422
#441 0x9b0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F #422
#442 0x9d8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F #422
#443 0xa34 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F #422
#444 0xa5c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F #422
#445 0xa7c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F #422
#446 0xac0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F #422
#447 0xae4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F #422
#448 0xb24 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F #422
#449 0xb40 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F #422
#450 0xb90 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F #422
#451 0xbb0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F #422
#452 0xbe8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F #422
#453 0x82c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F #422
#454 0x974 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F #422
#455 0x548 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F #422
#456 0xb5c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F #422
#457 0x7bc Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F #422
#458 0xc28 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F #422
#459 0xc40 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F #422
#460 0xc78 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F #422
#461 0xc9c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F #422
#462 0xcd4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F #422
#463 0xcf8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F #422
#464 0xd3c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F #422
#465 0xd60 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F #422
#466 0xd8c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F #422
#467 0xda0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F #422
#468 0xdd0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F #422
#469 0xe00 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y #422
#470 0xe1c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y #422
#471 0xee4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y #422
#472 0xf08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y #422
#473 0xf18 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y #469
#474 0xf20 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y #470
#475 0xf30 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y #422
#476 0xf48 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y #471
#477 0xf6c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y #422
#478 0xb48 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y #422
#479 0xc3c Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y #477
#480 0xd24 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y #475
#481 0xd14 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y #472
#482 0xd80 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y #422
#483 0xdb4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y #422
#484 0x61c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y #422
#485 0xe54 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y #478
#486 0x964 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y #422
#487 0x83c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y #422
#488 0x8d0 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y #482
#489 0xe78 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y #483
#490 0x9f8 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y #484
#491 0xa08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y #422
#492 0xe18 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y #422
#493 0x318 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y #487
#494 0x408 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y #486
#495 0x3a8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y #422
#496 0x804 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y #491
#497 0x994 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y #422
#498 0x9a0 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y #492
#499 0x8a0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y #422
#500 0x218 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y #422
#501 0x848 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y #422
#502 0x448 Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y #495
#503 0x718 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y #422
#504 0x878 Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y #497
#505 0x870 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y #499
#506 0x894 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y #500
#507 0xc14 Child Process Medium net1.exe C:\Windows\system32\net1 stop AcronisAgent /y #501
#508 0x9f0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop Antivirus /y #422
#509 0x34c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ARSM /y #422
#510 0x158 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y #422
#511 0xa64 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y #422
#512 0xc08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y #422
#513 0x534 Child Process Medium net1.exe C:\Windows\system32\net1 stop ARSM /y #509
#514 0xbe8 Child Process Medium net1.exe C:\Windows\system32\net1 stop Antivirus /y #508
#515 0x32c Child Process Medium net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y #503
#516 0xef8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y #422
#517 0xf2c Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y #511
#518 0xf54 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y #510
#519 0xf38 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y #422
#520 0xf14 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y #422
#521 0xefc Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y #516
#522 0xfa0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y #422
#523 0xdc0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop bedbg /y #422
#524 0xa14 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y #512
#525 0xfb0 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y #520
#526 0xd54 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y #519
#527 0xe3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop DCAgent /y #422
#528 0xfbc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y #422
#529 0xaec Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y #522
#530 0xc5c Child Process Medium net1.exe C:\Windows\system32\net1 stop bedbg /y #523
#531 0xd18 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y #422
#532 0xe94 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y #422
#533 0xd40 Child Process Medium net1.exe C:\Windows\system32\net1 stop EPSecurityService /y #528
#534 0xe2c Child Process Medium net1.exe C:\Windows\system32\net1 stop DCAgent /y #527
#535 0xd88 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y #422
#536 0xc34 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y #422
#537 0xb84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y #422
#538 0xb10 Child Process Medium net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y #532
#539 0xafc Child Process Medium net1.exe C:\Windows\system32\net1 stop EPUpdateService /y #531
#540 0xaf8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y #422
#541 0xd48 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y #422
#542 0xbe0 Child Process Medium net1.exe C:\Windows\system32\net1 stop EsgShKernel /y #535
#543 0xa24 Child Process Medium net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y #536
#544 0xa70 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop masvc /y #422
#545 0xc04 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MBAMService /y #422
#546 0xb94 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y #422
#547 0xa80 Child Process Medium net1.exe C:\Windows\system32\net1 stop IISAdmin /y #537
#548 0xe28 Child Process Medium net1.exe C:\Windows\system32\net1 stop macmnsvc /y #541
#549 0xd0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y #422
#550 0xd10 Child Process Medium net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y #540
#551 0x9b8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y #422
#552 0xba0 Child Process Medium net1.exe C:\Windows\system32\net1 stop masvc /y #544
#553 0xac4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MBAMService /y #545
#554 0x928 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y #422
#555 0x9c0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McShield /y #422
#556 0x9b4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y #546
#557 0xaa8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y #422
#558 0x9dc Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y #551
#559 0x7bc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfemms /y #422
#560 0xc6c Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y #549
#561 0xb08 Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y #554
#562 0xab4 Child Process Medium net1.exe C:\Windows\system32\net1 stop McShield /y #555
#563 0xcd0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfevtp /y #422
#564 0xb8c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MMS /y #422
#565 0x9bc Child Process Medium net1.exe C:\Windows\system32\net1 stop McTaskManager /y #557
#566 0xa54 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfemms /y #559
#567 0xb90 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y #422
#568 0xa7c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y #422
#569 0x920 Child Process Medium net1.exe C:\Windows\system32\net1 stop MMS /y #564
#570 0xcd4 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfevtp /y #563
#571 0xc9c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y #422
#572 0x96c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y #422
#573 0xc28 Child Process Medium net1.exe C:\Windows\system32\net1 stop mozyprobackup /y #567
#574 0xbb0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y #422
#575 0x9d8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y #571
#576 0xa40 Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer /y #568
#577 0xa98 Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y #572
#578 0xd7c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y #422
#579 0xadc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y #422
#580 0x9d0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y #422
#581 0xdec Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeES /y #574
#582 0xf88 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeSA /y #422
#583 0x86c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeSRS /y #422
#584 0xf98 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y #578
#585 0xd24 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y #422
#586 0xd68 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y #579
#587 0xdd4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y #580
#588 0xe0c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y #582
#589 0xde8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y #422
#590 0xf58 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y #583
#591 0xccc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y #422
#592 0xf9c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y #422
#593 0x860 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y #422
#594 0xe54 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y #585
#595 0xc1c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y #422
#596 0xcec Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y #589
#597 0x8cc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y #593
#598 0xe08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y #422
#599 0xe4c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y #591
#600 0x864 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y #422
#601 0xe44 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y #422
#602 0x754 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y #592
#603 0x9e0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y #422
#604 0x874 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y #595
#605 0xe60 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y #600
#606 0x8c0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y #598
#607 0x334 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y #422
#608 0x8e8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y #603
#609 0x5f0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y #601
#610 0xe18 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y #422
#611 0x314 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y #422
#612 0xec8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPS /y #422
#613 0x644 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y #607
#614 0x538 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y #422
#615 0x820 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #422
#616 0x89c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y #610
#617 0x78c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y #611
#618 0xb3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y #422
#619 0x95c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y #422
#620 0x528 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y #612
#621 0x734 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y #422
#622 0xc50 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #615
#623 0xa9c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y #614
#624 0xe88 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y #422
#625 0xea8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y #621
#626 0x440 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y #618
#627 0xe04 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher /y #619
#628 0xf04 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y #422
#629 0xa18 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y #422
#630 0x6f0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y #422
#631 0xfb0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y #422
#632 0xe6c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y #624
#633 0xfac Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y #628
#634 0xf14 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y #629
#635 0xde0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y #422
#636 0xfc8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLSERVER /y #422
#637 0xdc0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y #630
#638 0x944 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y #631
#639 0xd20 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y #422
#640 0x958 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y #635
#641 0xe40 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y #636
#642 0xfbc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y #422
#643 0xb0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MySQL80 /y #422
#644 0x7e0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MySQL57 /y #422
#645 0xbdc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ntrtscan /y #422
#646 0xd1c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y #639
#647 0xd30 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y #642
#648 0xc90 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop OracleClientCache80 /y #422
#649 0xb70 Child Process Medium net1.exe C:\Windows\system32\net1 stop MySQL80 /y #643
#650 0xb74 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop PDVFSService /y #422
#651 0x924 Child Process Medium net1.exe C:\Windows\system32\net1 stop MySQL57 /y #644
#652 0xb84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop POP3Svc /y #422
#653 0xfe8 Child Process Medium net1.exe C:\Windows\system32\net1 stop ntrtscan /y #645
#654 0xd64 Child Process Medium net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y #648
#655 0x894 Child Process Medium net1.exe C:\Windows\system32\net1 stop PDVFSService /y #650
#656 0x878 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer /y #422
#657 0x8ec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y #422
#658 0xc8c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y #422
#659 0xa64 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer /y #656
#660 0x158 Child Process Medium net1.exe C:\Windows\system32\net1 stop POP3Svc /y #652
#661 0xef8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPS /y #422
#662 0xbb8 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y #657
#663 0xff8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y #422
#664 0xd10 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop RESvc /y #422
#665 0xc10 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y #658
#666 0x99c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop sacsvr /y #422
#667 0xfec Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y #661
#668 0xa70 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y #663
#669 0xbd8 Child Process Medium net1.exe C:\Windows\system32\net1 stop RESvc /y #664
#670 0x9b4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SamSs /y #422
#671 0xcd8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SAVAdminService /y #422
#672 0xd84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SAVService /y #422
#673 0xbe4 Child Process Medium net1.exe C:\Windows\system32\net1 stop sacsvr /y #666
#674 0xa60 Child Process Medium net1.exe C:\Windows\system32\net1 stop SamSs /y #670
#675 0x9c0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SDRSVC /y #422
#676 0xb44 Child Process Medium net1.exe C:\Windows\system32\net1 stop SAVAdminService /y #671
#677 0xb28 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SepMasterService /y #422
#678 0x928 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ShMonitor /y #422
#679 0xcb8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop Smcinst /y #422
#680 0x988 Child Process Medium net1.exe C:\Windows\system32\net1 stop SDRSVC /y #675
#681 0xaa8 Child Process Medium net1.exe C:\Windows\system32\net1 stop SAVService /y #672
#682 0xba8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SmcService /y #422
#683 0xa0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SMTPSvc /y #422
#684 0xbac Child Process Medium net1.exe C:\Windows\system32\net1 stop SepMasterService /y #677
#685 0xa48 Child Process Medium net1.exe C:\Windows\system32\net1 stop Smcinst /y #679
#686 0x974 Child Process Medium net1.exe C:\Windows\system32\net1 stop ShMonitor /y #678
#687 0xce0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SNAC /y #422
#688 0xb90 Child Process Medium net1.exe C:\Windows\system32\net1 stop SmcService /y #682
#689 0x934 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SntpService /y #422
#690 0xa40 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop sophossps /y #422
#691 0xa7c Child Process Medium net1.exe C:\Windows\system32\net1 stop SMTPSvc /y #683
#692 0x990 Child Process Medium net1.exe C:\Windows\system32\net1 stop SntpService /y #689
#693 0xc38 Child Process Medium net1.exe C:\Windows\system32\net1 stop SNAC /y #687
#694 0xb40 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y #422
#695 0x9ec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y #422
#696 0xedc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y #422
#697 0xbb0 Child Process Medium net1.exe C:\Windows\system32\net1 stop sophossps /y #690
#698 0xbc0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y #422
#699 0xf40 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y #694
#700 0xd04 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y #695
#701 0x97c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y #422
#702 0xf70 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y #698
#703 0xddc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y #696
#704 0x9d0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y #422
#705 0xf88 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y #701
#706 0xf08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y #422
#707 0xf94 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y #422
#708 0xe54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y #422
#709 0x85c Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y #706
#710 0x5f4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y #707
#711 0x8cc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y #704
#712 0x838 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y #422
#713 0x8bc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y #422
#714 0x404 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y #708
#715 0xd8c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #422
#716 0x458 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y #713
#717 0x874 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y #712
#718 0xc1c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y #422
#719 0xf64 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLBrowser /y #422
#720 0x69c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y #422
#721 0xe08 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #715
#722 0x864 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLBrowser /y #719
#723 0xe78 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y #718
#724 0x5f0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y #422
#725 0x130 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y #422
#726 0x324 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y #422
#727 0xc88 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLSafeOLRService /y #720
#728 0x890 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLSERVERAGENT /y #724
#729 0x7e8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLWriter /y #422
#730 0x174 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y #725
#731 0xc20 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SstpSvc /y #422
#732 0xe9c Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y #726
#733 0xec0 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLWriter /y #729
#734 0xee4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop svcGenericHost /y #422
#735 0xe00 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_filter /y #422
#736 0x818 Child Process Medium net1.exe C:\Windows\system32\net1 stop SstpSvc /y #731
#737 0xb5c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_service /y #422
#738 0xea0 Child Process Medium net1.exe C:\Windows\system32\net1 stop svcGenericHost /y #734
#739 0xf24 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_filter /y #735
#740 0xfac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_update_64 /y #422
#741 0xb7c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TmCCSF /y #422
#742 0xde4 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_service /y #737
#743 0xd50 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop tmlisten /y #422
#744 0xa18 Child Process Medium net1.exe C:\Windows\system32\net1 stop TmCCSF /y #741
#745 0xdc0 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_update_64 /y #740
#746 0x6f0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKey /y #422
#747 0xa2c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y #422
#748 0xae0 Child Process Medium net1.exe C:\Windows\system32\net1 stop tmlisten /y #743
#749 0xfc4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y #422
#750 0xe10 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop UI0Detect /y #422
#751 0xb1c Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKey /y #746
#752 0x368 Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y #749
#753 0xde0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y #422
#754 0xfe4 Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKeyScheduler /y #747
#755 0xd30 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y #422
#756 0xfd8 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y #753
#757 0xc84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y #422
#758 0xeac Child Process Medium net1.exe C:\Windows\system32\net1 stop UI0Detect /y #750
#759 0xe3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y #422
#760 0xb0c Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y #755
#761 0xffc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y #422
#762 0x3a8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y #422
#763 0xfe8 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y #757
#764 0xa24 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y #759
#765 0xc90 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y #422
#766 0x51c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamMountSvc /y #422
#767 0xa80 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y #762
#768 0x58c Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y #761
#769 0x9e0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y #422
#770 0x7d8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y #422
#771 0x92c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y #422
#772 0x8fc Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y #765
#773 0xe04 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y #766
#774 0x734 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop W3Svc /y #422
#775 0x87c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop wbengine /y #422
#776 0x848 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y #771
#777 0x218 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y #769
#778 0xbe8 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y #770
#779 0xcc8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop WRSVC /y #422
#780 0x8ec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #422
#781 0x970 Child Process Medium net1.exe C:\Windows\system32\net1 stop wbengine /y #775
#782 0xbbc Child Process Medium net1.exe C:\Windows\system32\net1 stop W3Svc /y #774
#783 0xaf8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #422
#784 0xbf0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y #422
#785 0xae8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #780
#786 0xebc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #783
#787 0xee8 Child Process Medium net1.exe C:\Windows\system32\net1 stop WRSVC /y #779
#788 0xca0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_update /y #422
#789 0xb14 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y #422
#790 0x99c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y #422
#791 0xb30 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y #784
#792 0x9dc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQL Backups" /y #422
#793 0x9b8 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_update /y #788
#794 0x8dc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y #789
#795 0x884 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y #790
#796 0xb88 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROD /y #422
#797 0xbcc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y #422
#798 0xaac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y #422
#799 0xd0c Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQL Backups" /y #792
#800 0xc4c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y #796
#801 0xc0c Child Process Medium net1.exe C:\Windows\system32\net1 stop "Zoolz 2 Service" /y #797
#802 0xb24 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y #422
#803 0xb68 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop msftesql$PROD /y #422
#804 0xd60 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop NetMsmqActivator /y #422
#805 0x9bc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y #798
#806 0x920 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y #802
#807 0xc78 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EhttpSrv /y #422
#808 0x990 Child Process Medium net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y #803
#809 0xca8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ekrn /y #422
#810 0x9c4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ESHASRV /y #422
#811 0xb8c Child Process Medium net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y #804
#812 0x8a4 Child Process Medium net1.exe C:\Windows\system32\net1 stop EhttpSrv /y #807
#813 0xc94 Child Process Medium net1.exe C:\Windows\system32\net1 stop ekrn /y #809
#814 0xd00 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y #422
#815 0x20c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y #422
#816 0xc3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AVP /y #422
#817 0x9a4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y #814
#818 0xd7c Child Process Medium net1.exe C:\Windows\system32\net1 stop ESHASRV /y #810
#819 0xdd0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop klnagent /y #422
#820 0xc4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y #422
#821 0xf3c Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y #815
#822 0xe64 Child Process Medium net1.exe C:\Windows\system32\net1 stop AVP /y #816
#823 0xd14 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y #422
#824 0xcec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop wbengine /y #422
#825 0xf6c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop kavfsslp /y #422
#826 0xe4c Child Process Medium net1.exe C:\Windows\system32\net1 stop klnagent /y #819
#827 0x908 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y #820
#828 0xf0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop KAVFSGT /y #422
#829 0x640 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop KAVFS /y #422
#830 0xf50 Child Process Medium net1.exe C:\Windows\system32\net1 stop kavfsslp /y #825
#831 0xeec Child Process Medium net1.exe C:\Windows\system32\net1 stop wbengine /y #824
#832 0x860 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y #823
#833 0xe60 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfefire /y #422
#834 0xdb4 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f #422
#835 0x49c Injection Medium taskhost.exe "taskhost.exe" #422
#836 0x804 Child Process Medium net1.exe C:\Windows\system32\net1 stop KAVFS /y #829
#837 0x40c Child Process Medium net1.exe C:\Windows\system32\net1 stop KAVFSGT /y #828
#838 0x6fc Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #422
#839 0xe78 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfefire /y #833
#840 0xc1c Child Process Medium reg.exe REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f #834

Behavior Information - Grouped by Category

Process #1: fmoac.exe
547 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:29, Reason: Analysis Target
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:01:29
OS Process Information
»
Information Value
PID 0x910
Parent PID 0x458 (c:\windows\system32\net1.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 914
0x 928
0x 92C
0x 930
0x 934
0x 940
0x 95C
0x 96C
0x 984
0x 9AC
0x 9C0
0x 9DC
0x A74
0x A88
0x AC4
0x B44
0x B60
0x B7C
0x 90
0x 814
0x 830
0x 834
0x 6E8
0x 698
0x 7C0
0x 86C
0x 8A8
0x 87C
0x 8E0
0x 8CC
0x 958
0x 9B4
0x 550
0x 6E8
0x C18
0x C38
0x C94
0x CC4
0x CF0
0x D0C
0x D4C
0x D68
0x DB0
0x DC8
0x E0C
0x E28
0x E50
0x E70
0x EA8
0x EC8
0x F0C
0x F2C
0x F68
0x F80
0x FCC
0x FE0
0x 6E8
0x CF0
0x E30
0x EBC
0x F20
0x F90
0x F3C
0x F64
0x DC8
0x F98
0x FC4
0x D00
0x BC8
0x 260
0x B84
0x 818
0x B30
0x C18
0x 764
0x 8C0
0x AF8
0x B0C
0x B1C
0x CA4
0x 9BC
0x 590
0x AAC
0x 740
0x 810
0x 9C8
0x A90
0x A8C
0x 904
0x 540
0x 944
0x D50
0x 584
0x 928
0x F84
0x 93C
0x 9AC
0x C4C
0x D38
0x C14
0x F28
0x 8A4
0x B88
0x ED0
0x E80
0x DB8
0x ED4
0x EA4
0x EE4
0x D10
0x E6C
0x B60
0x 940
0x EAC
0x D70
0x CB4
0x C48
0x 880
0x DA0
0x F3C
0x FBC
0x 960
0x 6E0
0x 948
0x B80
0x 8C4
0x 848
0x 878
0x 8EC
0x B4C
0x AA8
0x 964
0x 82C
0x 840
0x 814
0x BC8
0x 944
0x FA0
0x 93C
0x DE8
0x B64
0x B38
0x D8C
0x B5C
0x E8C
0x B94
0x D20
0x E94
0x 924
0x DC0
0x FAC
0x 918
0x E24
0x C90
0x E14
0x EF8
0x 240
0x 954
0x FF0
0x 978
0x D60
0x D78
0x D7C
0x C30
0x 920
0x 90
0x 96C
0x E20
0x C18
0x CC8
0x 69C
0x AF8
0x 938
0x 548
0x 980
0x D44
0x 9BC
0x B2C
0x 3C8
0x AE4
0x 9D0
0x 3B8
0x AB4
0x 830
0x 844
0x 8E8
0x 9A8
0x 528
0x EEC
0x A64
0x B64
0x D88
0x DEC
0x F24
0x C4C
0x E94
0x 7D8
0x 7F4
0x C5C
0x EA4
0x FC8
0x CE0
0x C34
0x FC4
0x AD4
0x C98
0x DCC
0x CEC
0x D7C
0x 8B0
0x EB4
0x E90
0x AD0
0x BD8
0x F80
0x 90C
0x CD0
0x CF8
0x 948
0x CCC
0x AE0
0x E54
0x 6DC
0x 548
0x E78
0x 590
0x 980
0x AA8
0x B4C
0x B1C
0x B20
0x B18
0x 8D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00089fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
oleaccrc.dll 0x00320000 0x00320fff Memory Mapped File r False False False -
pagefile_0x0000000000320000 0x00320000 0x00329fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000330000 0x00330000 0x00331fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000340000 0x00340000 0x00346fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
cversions.2.db 0x005f0000 0x005f3fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x00600000 0x0061efff Memory Mapped File r True False False -
pagefile_0x0000000000620000 0x00620000 0x00620fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00630000 0x00633fff Memory Mapped File r True False False -
pagefile_0x0000000000640000 0x00640000 0x00640fff Pagefile Backed Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01bf0000 0x01ebefff Memory Mapped File r False False False -
pagefile_0x0000000001ec0000 0x01ec0000 0x01f9efff Pagefile Backed Memory r True False False -
private_0x0000000001fa0000 0x01fa0000 0x0209ffff Private Memory rw True False False -
pagefile_0x0000000001fa0000 0x01fa0000 0x01fa0fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x01fb0000 0x01fb3fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x020a0000 0x020cffff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x020d0000 0x02135fff Memory Mapped File r True False False -
private_0x00000000021e0000 0x021e0000 0x0225ffff Private Memory rw True False False -
private_0x0000000002260000 0x02260000 0x0235ffff Private Memory rw True False False -
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory rw True False False -
pagefile_0x0000000002470000 0x02470000 0x02862fff Pagefile Backed Memory r True False False -
private_0x0000000002890000 0x02890000 0x0298ffff Private Memory rw True False False -
private_0x0000000002a10000 0x02a10000 0x02b0ffff Private Memory rw True False False -
private_0x0000000002be0000 0x02be0000 0x02cdffff Private Memory rw True False False -
private_0x0000000002d10000 0x02d10000 0x02e0ffff Private Memory rw True False False -
private_0x0000000002f00000 0x02f00000 0x02ffffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
fmoac.exe 0x13f060000 0x13f095fff Memory Mapped File rwx True True False
...
oleacc.dll 0x7fef5230000 0x7fef5283fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef5290000 0x7fef5e46fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fef8ed0000 0x7fef8ed2fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa4d0000 0x7fefa526fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefb520000 0x7fefb54cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefbf70000 0x7fefc09bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc0f0000 0x7fefc2e3fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefd670000 0x7fefd6a5fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd900000 0x7fefd919fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
urlmon.dll 0x7fefd990000 0x7fefdb07fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7fefe1b0000 0x7fefe201fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff0f0000 0x7feff2c6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
wininet.dll 0x7feff360000 0x7feff489fff Memory Mapped File rwx False False False -
iertutil.dll 0x7feff4e0000 0x7feff738fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Delete - - False 1
Fn
Process (332)
»
Operation Process Additional Information Success Count Logfile
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create C:\Windows\System32\cmd.exe show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\flu financial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\msbuild\andreas_organisms.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\humans.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\minus.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\hart.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\electronicjustify.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\spatial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows nt\cruise_established_elegant.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\elder studying.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\butterfly-guidelines.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows nt\schoolspoll.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\marina.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\mill-clearing.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\brand.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\verification.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\dvd maker\committeeinstitution.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\dev.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows media player\raise-ng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\dvd maker\quote_proud.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\flu financial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\msbuild\andreas_organisms.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\humans.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\minus.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\hart.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\electronicjustify.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\spatial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows nt\cruise_established_elegant.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\elder studying.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\butterfly-guidelines.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows nt\schoolspoll.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\marina.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\mill-clearing.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\brand.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\verification.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\dvd maker\committeeinstitution.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\dev.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows media player\raise-ng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\dvd maker\quote_proud.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\dwm.exe proc_address = 0x13f0619a0, proc_parameter = 5352325120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskhost.exe proc_address = 0x13f0619a0, proc_parameter = 5352325120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskeng.exe proc_address = 0x13f0619a0, proc_parameter = 5352325120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (29)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\dwm.exe address = 0x13f060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\taskhost.exe address = 0x13f060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\taskeng.exe address = 0x13f060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\program files\microsoft office\flu financial.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\msbuild\andreas_organisms.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\microsoft office\humans.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\microsoft.net\minus.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\mozilla firefox\hart.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\conhost.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\microsoft visual studio 8\electronicjustify.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows defender\spatial.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows nt\cruise_established_elegant.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows photo viewer\elder studying.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\conhost.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\sc.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\common files\butterfly-guidelines.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows nt\schoolspoll.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows defender\marina.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\rundll32.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows journal\mill-clearing.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows photo viewer\brand.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows sidebar\verification.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\dvd maker\committeeinstitution.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows defender\dev.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows media player\raise-ng.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\dvd maker\quote_proud.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Write c:\windows\system32\dwm.exe address = 0x13f060000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\taskhost.exe address = 0x13f060000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\taskeng.exe address = 0x13f060000, size = 221184 True 1
Fn
Data
Module (66)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef8ed0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x77550000 True 2
Fn
Load advapi32 base_address = 0x0 False 1
Fn
Load advapi32 base_address = 0x7feff740000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe base_address = 0x13f060000 True 28
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 260 True 3
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 320 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77567190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x7756bd90 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x776acac0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77573520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7759b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x775591d0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (45)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 300 milliseconds (0.300 seconds) True 39
Fn
Get Time type = System Time, time = 2018-11-27 19:42:47 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: taskkill.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:40, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x938
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 93C
0x AA4
0x AB0
0x AF0
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b60000 0x01c1ffff Memory Mapped File rw False False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
sortdefault.nls 0x01f10000 0x021defff Memory Mapped File r False False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #3: taskkill.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:01:03, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x944
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 948
0x AB4
0x AEC
0x B38
0x B3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00256fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00720fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000730000 0x00730000 0x01b2ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b30000 0x01beffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
sortdefault.nls 0x01f50000 0x0221efff Memory Mapped File r False False False -
private_0x00000000022a0000 0x022a0000 0x0231ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #4: taskkill.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
0x A9C
0x AAC
0x ACC
0x AD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00230000 0x002effff Memory Mapped File rw False False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory r True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x020affff Private Memory rw True False False -
sortdefault.nls 0x020b0000 0x0237efff Memory Mapped File r False False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #5: taskkill.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 980
0x AA0
0x AB8
0x B04
0x B08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernelbase.dll.mui 0x003e0000 0x0049ffff Memory Mapped File rw False False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x00000000021f0000 0x021f0000 0x0226ffff Private Memory rw True False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
private_0x00000000024e0000 0x024e0000 0x0255ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #6: taskkill.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A8
0x AE8
0x B1C
0x B64
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00340000 0x003fffff Memory Mapped File rw False False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
private_0x0000000001fc0000 0x01fc0000 0x0203ffff Private Memory rw True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
sortdefault.nls 0x020f0000 0x023befff Memory Mapped File r False False False -
private_0x00000000023f0000 0x023f0000 0x0246ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #7: taskkill.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9BC
0x AE4
0x B18
0x B30
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003b0000 0x003b0000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b60000 0x01c1ffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
sortdefault.nls 0x01ec0000 0x0218efff Memory Mapped File r False False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #8: taskkill.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa6c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
0x B80
0x BA0
0x BB4
0x BB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
sortdefault.nls 0x01f10000 0x021defff Memory Mapped File r False False False -
private_0x0000000002200000 0x02200000 0x0227ffff Private Memory rw True False False -
private_0x00000000022c0000 0x022c0000 0x0233ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #9: taskkill.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa80
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
0x B84
0x BA4
0x BBC
0x BC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
private_0x0000000002050000 0x02050000 0x020cffff Private Memory rw True False False -
sortdefault.nls 0x020d0000 0x0239efff Memory Mapped File r False False False -
private_0x0000000002480000 0x02480000 0x024fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #10: taskkill.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xabc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AC0
0x B88
0x BA8
0x BC4
0x BC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory rw True False False -
sortdefault.nls 0x01fc0000 0x0228efff Memory Mapped File r False False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x0000000002490000 0x02490000 0x0250ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #11: taskkill.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE0
0x B8C
0x BAC
0x BCC
0x BD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
pagefile_0x0000000000240000 0x00240000 0x00246fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
sortdefault.nls 0x01dc0000 0x0208efff Memory Mapped File r False False False -
private_0x0000000002150000 0x02150000 0x021cffff Private Memory rw True False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory rw True False False -
private_0x00000000022c0000 0x022c0000 0x0233ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #13: taskkill.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:43, Reason: Child Process
Unmonitor End Time: 00:01:01, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb58
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B5C
0x 838
0x 81C
0x 850
0x 5E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernelbase.dll.mui 0x003b0000 0x0046ffff Memory Mapped File rw False False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory r True False False -
private_0x0000000001bf0000 0x01bf0000 0x01c6ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
sortdefault.nls 0x01f20000 0x021eefff Memory Mapped File r False False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
private_0x00000000022b0000 0x022b0000 0x0232ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #14: taskkill.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb74
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B78
0x 83C
0x 578
0x 688
0x 540
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00256fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
private_0x0000000001b20000 0x01b20000 0x01b9ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
sortdefault.nls 0x01e00000 0x020cefff Memory Mapped File r False False False -
private_0x0000000002180000 0x02180000 0x021fffff Private Memory rw True False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #15: taskkill.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbfc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 424
0x 518
0x 1E0
0x 260
0x 6E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b80000 0x01c3ffff Memory Mapped File rw False False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #16: taskkill.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x78c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 818
0x 548
0x 24C
0x 6F8
0x 864
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c40000 0x01cfffff Memory Mapped File rw False False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
private_0x0000000001fa0000 0x01fa0000 0x0201ffff Private Memory rw True False False -
sortdefault.nls 0x02020000 0x022eefff Memory Mapped File r False False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #17: taskkill.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x840
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 844
0x C0
0x 274
0x 8C4
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001f0000 0x001f3fff Memory Mapped File rw False False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00417fff Pagefile Backed Memory r True False False -
private_0x0000000000420000 0x00420000 0x00420fff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00430fff Pagefile Backed Memory r True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ad0fff Pagefile Backed Memory r True False False -
private_0x0000000001b40000 0x01b40000 0x01bbffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bc0000 0x01c7ffff Memory Mapped File rw False False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001fa0000 0x01fa0000 0x0201ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
sortdefault.nls 0x02100000 0x023cefff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #18: taskkill.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x824
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 82C
0x 6F4
0x 7F0
0x 6C8
0x 324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c40000 0x01cfffff Memory Mapped File rw False False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x0200ffff Private Memory rw True False False -
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory rw True False False -
sortdefault.nls 0x02120000 0x023eefff Memory Mapped File r False False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #19: taskkill.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7ec
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E4
0x 8EC
0x 878
0x 90C
0x 854
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x001a0000 0x0025ffff Memory Mapped File rw False False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x004effff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory r True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
sortdefault.nls 0x020c0000 0x0238efff Memory Mapped File r False False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #21: taskkill.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:02, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x724
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 764
0x 898
0x 874
0x 91C
0x 3D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
taskkill.exe.mui 0x001f0000 0x001f3fff Memory Mapped File rw False False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory r True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory r True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
pagefile_0x00000000004c0000 0x004c0000 0x00647fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x01bdffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01be0000 0x01c9ffff Memory Mapped File rw False False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #22: taskkill.exe
0 0
»
Information Value
ID #22
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6a0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6EC
0x 908
0x 8F4
0x 978
0x 994
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00360000 0x00363fff Memory Mapped File rw False False False -
private_0x0000000000370000 0x00370000 0x00370fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003c0000 0x003c0000 0x0043ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bb0000 0x01c6ffff Memory Mapped File rw False False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #23: taskkill.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4e4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6DC
0x 918
0x 8F8
0x 8F0
0x 928
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #24: taskkill.exe
0 0
»
Information Value
ID #24
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8bc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B4
0x B0
0x B94
0x 8A8
0x 8A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x004f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000500000 0x00500000 0x00680fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x01a8ffff Pagefile Backed Memory r True False False -
taskkill.exe.mui 0x01a90000 0x01a93fff Memory Mapped File rw False False False -
private_0x0000000001aa0000 0x01aa0000 0x01aa0fff Private Memory rw True False False -
private_0x0000000001ab0000 0x01ab0000 0x01ab0fff Private Memory rw True False False -
pagefile_0x0000000001ac0000 0x01ac0000 0x01ac0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ad0fff Pagefile Backed Memory r True False False -
private_0x0000000001b20000 0x01b20000 0x01b9ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
sortdefault.nls 0x01eb0000 0x0217efff Memory Mapped File r False False False -
private_0x00000000021c0000 0x021c0000 0x0223ffff Private Memory rw True False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #25: taskkill.exe
0 0
»
Information Value
ID #25
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 890
0x AD8
0x 810
0x 89C
0x 8E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #26: taskkill.exe
0 0
»
Information Value
ID #26
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 920
0x AC4
0x 330
0x 958
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c90000 0x01d4ffff Memory Mapped File rw False False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
private_0x0000000001fe0000 0x01fe0000 0x0205ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
sortdefault.nls 0x02100000 0x023cefff Memory Mapped File r False False False -
private_0x0000000002480000 0x02480000 0x024fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #27: taskkill.exe
0 0
»
Information Value
ID #27
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8dc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8D0
0x B60
0x 770
0x A7C
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c00000 0x01cbffff Memory Mapped File rw False False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File r False False False -
private_0x0000000002220000 0x02220000 0x0229ffff Private Memory rw True False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #28: taskkill.exe
0 0
»
Information Value
ID #28
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x95c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
0x C1C
0x C60
0x C74
0x C78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
private_0x0000000001b50000 0x01b50000 0x01bcffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001cf0000 0x01cf0000 0x01d6ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
sortdefault.nls 0x01e00000 0x020cefff Memory Mapped File r False False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #29: taskkill.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x65c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D0
0x C20
0x C6C
0x CA0
0x CA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
sortdefault.nls 0x01ed0000 0x0219efff Memory Mapped File r False False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #30: taskkill.exe
0 0
»
Information Value
ID #30
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 90
0x C80
0x CCC
0x CD8
0x CDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c00000 0x01cbffff Memory Mapped File rw False False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File r False False False -
private_0x00000000021a0000 0x021a0000 0x0221ffff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
private_0x0000000002460000 0x02460000 0x024dffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #31: taskkill.exe
0 0
»
Information Value
ID #31
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:06, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x834
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 568
0x C68
0x C88
0x CAC
0x CB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00230000 0x002effff Memory Mapped File rw False False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory r True False False -
private_0x0000000001c70000 0x01c70000 0x01ceffff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
private_0x00000000024c0000 0x024c0000 0x0253ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef44e0000 0x7fef4604fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef4610000 0x7fef465bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #32: taskkill.exe
0 0
»
Information Value
ID #32
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc10
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C14
0x CE4
0x D20
0x D28
0x D2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #33: taskkill.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc30
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C34
0x D10
0x D24
0x D30
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #34: taskkill.exe
0 0
»
Information Value
ID #34
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc8c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C90
0x D40
0x D78
0x D88
0x D8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #35: taskkill.exe
0 0
»
Information Value
ID #35
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcbc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC0
0x D6C
0x D7C
0x D80
0x D84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #36: taskkill.exe
0 0
»
Information Value
ID #36
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xce8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CEC
0x D98
0x DD8
0x DE4
0x DE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #37: taskkill.exe
0 0
»
Information Value
ID #37
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd04
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D08
0x DA4
0x DDC
0x DEC
0x DF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #38: taskkill.exe
0 0
»
Information Value
ID #38
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd44
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D48
0x DCC
0x DE0
0x DF4
0x DF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #39: taskkill.exe
0 0
»
Information Value
ID #39
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd60
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D64
0x E00
0x E34
0x E38
0x E3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #40: taskkill.exe
0 0
»
Information Value
ID #40
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xda8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DAC
0x E44
0x E80
0x E88
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #41: taskkill.exe
0 0
»
Information Value
ID #41
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC4
0x E94
0x ED0
0x EF0
0x EF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #42: taskkill.exe
0 0
»
Information Value
ID #42
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E08
0x E90
0x EAC
0x EDC
0x EE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #43: taskkill.exe
0 0
»
Information Value
ID #43
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe20
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E24
0x EB4
0x EE4
0x EE8
0x EEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #44: taskkill.exe
0 0
»
Information Value
ID #44
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E4C
0x F18
0x F48
0x F84
0x F88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #45: taskkill.exe
0 0
»
Information Value
ID #45
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe68
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E6C
0x F00
0x F30
0x F4C
0x F50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #46: taskkill.exe
0 0
»
Information Value
ID #46
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA4
0x F34
0x F58
0x F9C
0x FA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #47: taskkill.exe
0 0
»
Information Value
ID #47
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:53, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC4
0x F38
0x F6C
0x FA8
0x FAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xffb10000 0xffb2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #48: net.exe
0 0
»
Information Value
ID #48
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:53, Reason: Child Process
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #49: net.exe
0 0
»
Information Value
ID #49
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:53, Reason: Child Process
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf24
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #50: net.exe
0 0
»
Information Value
ID #50
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf60
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #51: net.exe
0 0
»
Information Value
ID #51
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf78
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #52: net1.exe
17 0
»
Information Value
ID #52
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0xf24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 115518 True 1
Fn
Process #53: net1.exe
17 0
»
Information Value
ID #53
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfb8
Parent PID 0xf04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 115534 True 1
Fn
Process #54: net.exe
0 0
»
Information Value
ID #54
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #55: net.exe
0 0
»
Information Value
ID #55
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #56: net.exe
0 0
»
Information Value
ID #56
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7c0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 828
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #57: net1.exe
17 0
»
Information Value
ID #57
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc18
Parent PID 0xf60 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 115908 True 1
Fn
Process #58: net1.exe
17 0
»
Information Value
ID #58
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0xf78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 115955 True 1
Fn
Process #59: net.exe
0 0
»
Information Value
ID #59
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #60: net1.exe
17 0
»
Information Value
ID #60
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd74
Parent PID 0xfd8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff870000 0xff8a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff870000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 116454 True 1
Fn
Process #61: net1.exe
17 0
»
Information Value
ID #61
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdb0
Parent PID 0xfc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff870000 0xff8a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff870000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 116454 True 1
Fn
Process #62: net.exe
0 0
»
Information Value
ID #62
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe28
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #63: net.exe
0 0
»
Information Value
ID #63
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe70
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #64: net.exe
0 0
»
Information Value
ID #64
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf0c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #65: net1.exe
17 0
»
Information Value
ID #65
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:56, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf2c
Parent PID 0xcb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 116735 True 1
Fn
Process #66: net.exe
0 0
»
Information Value
ID #66
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfe0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #67: net1.exe
17 0
»
Information Value
ID #67
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0x7c0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff20000 0xfff52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 117078 True 1
Fn
Process #68: net1.exe
17 0
»
Information Value
ID #68
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf1c
Parent PID 0xf0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff20000 0xfff52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 117109 True 1
Fn
Process #69: net1.exe
17 0
»
Information Value
ID #69
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0xe28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff20000 0xfff52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 117141 True 1
Fn
Process #70: net.exe
0 0
»
Information Value
ID #70
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc2c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #71: net1.exe
17 0
»
Information Value
ID #71
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:00:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xcc4
Parent PID 0xe70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff20000 0xfff52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ca0000 0x7fef8cb1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 117312 True 1
Fn
Process #72: net.exe
0 0
»
Information Value
ID #72
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #73: net.exe
0 0
»
Information Value
ID #73
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf78
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #74: net.exe
0 0
»
Information Value
ID #74
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd74
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #75: net.exe
0 0
»
Information Value
ID #75
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #76: net.exe
0 0
»
Information Value
ID #76
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:05, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe70
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #77: net1.exe
17 0
»
Information Value
ID #77
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0xd74 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127546 True 1
Fn
Process #78: net1.exe
17 0
»
Information Value
ID #78
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xaf4
Parent PID 0xfc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127577 True 1
Fn
Process #79: net1.exe
17 0
»
Information Value
ID #79
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x688
Parent PID 0xfe0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 540
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127811 True 1
Fn
Process #80: net1.exe
17 0
»
Information Value
ID #80
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf68
Parent PID 0xcf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127655 True 1
Fn
Process #81: net1.exe
17 0
»
Information Value
ID #81
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbc0
Parent PID 0xc2c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127702 True 1
Fn
Process #82: net1.exe
17 0
»
Information Value
ID #82
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbcc
Parent PID 0xf78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 127967 True 1
Fn
Process #83: net.exe
0 0
»
Information Value
ID #83
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf3c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef44c0000 0x7fef44d1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #84: net.exe
0 0
»
Information Value
ID #84
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x864
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #85: net.exe
0 0
»
Information Value
ID #85
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x578
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #86: net.exe
0 0
»
Information Value
ID #86
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x548
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 24C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #87: net1.exe
17 0
»
Information Value
ID #87
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x518
Parent PID 0xf3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef44c0000 0x7fef44d1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:18 (UTC) True 1
Fn
Get Time type = Ticks, time = 128856 True 1
Fn
Process #88: net1.exe
17 0
»
Information Value
ID #88
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0x864 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ACC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef44c0000 0x7fef44d1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:19 (UTC) True 1
Fn
Get Time type = Ticks, time = 129278 True 1
Fn
Process #89: net1.exe
17 0
»
Information Value
ID #89
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xad0
Parent PID 0x578 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef44c0000 0x7fef44d1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:19 (UTC) True 1
Fn
Get Time type = Ticks, time = 129184 True 1
Fn
Process #90: net.exe
0 0
»
Information Value
ID #90
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb08
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #91: net.exe
0 0
»
Information Value
ID #91
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6c8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #92: net.exe
0 0
»
Information Value
ID #92
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x898
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 874
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #93: net1.exe
17 0
»
Information Value
ID #93
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfb8
Parent PID 0x548 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 90C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9e0000 0xffa12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef44c0000 0x7fef44d1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:19 (UTC) True 1
Fn
Get Time type = Ticks, time = 129527 True 1
Fn
Process #94: net.exe
0 0
»
Information Value
ID #94
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #95: net.exe
0 0
»
Information Value
ID #95
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #96: net.exe
0 0
»
Information Value
ID #96
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x724
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 778
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #97: net1.exe
17 0
»
Information Value
ID #97
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0xb08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130042 True 1
Fn
Process #98: net.exe
0 0
»
Information Value
ID #98
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #99: net.exe
0 0
»
Information Value
ID #99
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc94
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #100: net1.exe
17 0
»
Information Value
ID #100
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb48
Parent PID 0x828 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130292 True 1
Fn
Process #101: net1.exe
17 0
»
Information Value
ID #101
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xa94
Parent PID 0x6c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 938
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130338 True 1
Fn
Process #102: net1.exe
17 0
»
Information Value
ID #102
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x988
Parent PID 0x898 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 94C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130370 True 1
Fn
Process #103: net.exe
0 0
»
Information Value
ID #103
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #104: net.exe
0 0
»
Information Value
ID #104
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x82c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #105: net.exe
0 0
»
Information Value
ID #105
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x970
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #106: net1.exe
17 0
»
Information Value
ID #106
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x968
Parent PID 0x724 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 131103 True 1
Fn
Process #107: net1.exe
17 0
»
Information Value
ID #107
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xadc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130853 True 1
Fn
Process #108: net1.exe
17 0
»
Information Value
ID #108
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8ec
Parent PID 0xc94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 878
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130978 True 1
Fn
Process #109: net1.exe
17 0
»
Information Value
ID #109
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0x8e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 130853 True 1
Fn
Process #110: net.exe
0 0
»
Information Value
ID #110
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 41C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #111: net.exe
0 0
»
Information Value
ID #111
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xad4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #112: net1.exe
17 0
»
Information Value
ID #112
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc20
Parent PID 0x82c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff680000 0xff6b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff680000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 131493 True 1
Fn
Process #113: net1.exe
17 0
»
Information Value
ID #113
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0xae4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff680000 0xff6b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff680000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 131462 True 1
Fn
Process #114: net.exe
0 0
»
Information Value
ID #114
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x974
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #115: net1.exe
17 0
»
Information Value
ID #115
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x990
Parent PID 0x970 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 870
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1b0000 0xff1e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 131789 True 1
Fn
Process #116: net.exe
0 0
»
Information Value
ID #116
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x954
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #117: net1.exe
17 0
»
Information Value
ID #117
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x240
Parent PID 0xad4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 840
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1b0000 0xff1e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:21 (UTC) True 1
Fn
Get Time type = Ticks, time = 131867 True 1
Fn
Process #118: net1.exe
17 0
»
Information Value
ID #118
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0x9a0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1b0000 0xff1e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 132054 True 1
Fn
Process #119: net.exe
0 0
»
Information Value
ID #119
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x568
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #120: net.exe
0 0
»
Information Value
ID #120
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #121: net1.exe
17 0
»
Information Value
ID #121
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x834
Parent PID 0x568 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 132491 True 1
Fn
Process #122: net1.exe
17 0
»
Information Value
ID #122
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x690
Parent PID 0x974 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 132413 True 1
Fn
Process #123: net1.exe
17 0
»
Information Value
ID #123
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfc4
Parent PID 0x954 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 132398 True 1
Fn
Process #124: net.exe
0 0
»
Information Value
ID #124
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef45f0000 0x7fef4601fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #125: net.exe
0 0
»
Information Value
ID #125
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #126: net1.exe
17 0
»
Information Value
ID #126
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbcc
Parent PID 0xc04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 132741 True 1
Fn
Process #127: net.exe
0 0
»
Information Value
ID #127
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #128: net.exe
0 0
»
Information Value
ID #128
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdec
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #129: net1.exe
17 0
»
Information Value
ID #129
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf9c
Parent PID 0xaf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef45f0000 0x7fef4601fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 133131 True 1
Fn
Process #130: net1.exe
17 0
»
Information Value
ID #130
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x838
Parent PID 0xff0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef45f0000 0x7fef4601fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 133131 True 1
Fn
Process #131: net.exe
0 0
»
Information Value
ID #131
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #132: net.exe
0 0
»
Information Value
ID #132
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd8c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #133: net.exe
0 0
»
Information Value
ID #133
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #134: net1.exe
17 0
»
Information Value
ID #134
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x978
Parent PID 0xde4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 994
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff870000 0xff8a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff870000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 133614 True 1
Fn
Process #135: net.exe
0 0
»
Information Value
ID #135
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 958
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #136: net.exe
0 0
»
Information Value
ID #136
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #137: net1.exe
17 0
»
Information Value
ID #137
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdf8
Parent PID 0xdec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 134067 True 1
Fn
Process #138: net1.exe
17 0
»
Information Value
ID #138
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd28
Parent PID 0xb5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 134098 True 1
Fn
Process #139: net1.exe
17 0
»
Information Value
ID #139
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0xd8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 133926 True 1
Fn
Process #140: net1.exe
17 0
»
Information Value
ID #140
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfb4
Parent PID 0xd30 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 133895 True 1
Fn
Process #141: net.exe
0 0
»
Information Value
ID #141
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x850
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #142: net.exe
0 0
»
Information Value
ID #142
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xce4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #143: net.exe
0 0
»
Information Value
ID #143
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xffc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #144: net1.exe
17 0
»
Information Value
ID #144
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0xb68 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffda0000 0xffdd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffda0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 134504 True 1
Fn
Process #145: net.exe
0 0
»
Information Value
ID #145
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
locale.nls 0x00190000 0x001f6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #146: net.exe
0 0
»
Information Value
ID #146
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #147: net1.exe
17 0
»
Information Value
ID #147
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xb3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 134862 True 1
Fn
Process #148: net1.exe
17 0
»
Information Value
ID #148
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0x850 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 135034 True 1
Fn
Process #149: net1.exe
17 0
»
Information Value
ID #149
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef4
Parent PID 0xce4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 135081 True 1
Fn
Process #150: net1.exe
17 0
»
Information Value
ID #150
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe88
Parent PID 0xffc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:24 (UTC) True 1
Fn
Get Time type = Ticks, time = 134894 True 1
Fn
Process #151: net.exe
0 0
»
Information Value
ID #151
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8bc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #152: net.exe
0 0
»
Information Value
ID #152
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #153: net1.exe
17 0
»
Information Value
ID #153
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdac
Parent PID 0xae0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8c0000 0xff8f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 135346 True 1
Fn
Process #154: net.exe
0 0
»
Information Value
ID #154
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #155: net1.exe
17 0
»
Information Value
ID #155
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0xfa8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8c0000 0xff8f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 135486 True 1
Fn
Process #156: net.exe
0 0
»
Information Value
ID #156
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #157: net1.exe
17 0
»
Information Value
ID #157
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd08
Parent PID 0x8bc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffce0000 0xffd12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffce0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 135658 True 1
Fn
Process #158: net.exe
0 0
»
Information Value
ID #158
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd18
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #159: net.exe
0 0
»
Information Value
ID #159
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd64
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #160: net1.exe
17 0
»
Information Value
ID #160
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe24
Parent PID 0xdd0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 918
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffce0000 0xffd12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffce0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 135845 True 1
Fn
Process #161: net1.exe
17 0
»
Information Value
ID #161
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc90
Parent PID 0x8c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2a0000 0xff2d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 136157 True 1
Fn
Process #162: net.exe
0 0
»
Information Value
ID #162
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #163: net.exe
0 0
»
Information Value
ID #163
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf00
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #164: net.exe
0 0
»
Information Value
ID #164
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xccc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #165: net1.exe
17 0
»
Information Value
ID #165
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xdcc
Parent PID 0xec0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff030000 0xff062fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff030000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 136578 True 1
Fn
Process #166: net1.exe
17 0
»
Information Value
ID #166
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0xd18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff030000 0xff062fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff030000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 136734 True 1
Fn
Process #167: net1.exe
17 0
»
Information Value
ID #167
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd9c
Parent PID 0xd64 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff030000 0xff062fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff030000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 136656 True 1
Fn
Process #168: net1.exe
17 0
»
Information Value
ID #168
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:16, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x210
Parent PID 0xf48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff030000 0xff062fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff030000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 136688 True 1
Fn
Process #169: net.exe
0 0
»
Information Value
ID #169
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe98
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #170: net.exe
0 0
»
Information Value
ID #170
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeb8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #171: net1.exe
17 0
»
Information Value
ID #171
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0xe70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff030000 0xff062fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff030000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137078 True 1
Fn
Process #172: net.exe
0 0
»
Information Value
ID #172
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 518
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #173: net1.exe
17 0
»
Information Value
ID #173
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0xf00 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137436 True 1
Fn
Process #174: net1.exe
17 0
»
Information Value
ID #174
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe18
Parent PID 0xe98 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137468 True 1
Fn
Process #175: net1.exe
17 0
»
Information Value
ID #175
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7e8
Parent PID 0xccc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137514 True 1
Fn
Process #176: net.exe
0 0
»
Information Value
ID #176
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #177: net.exe
0 0
»
Information Value
ID #177
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #178: net.exe
0 0
»
Information Value
ID #178
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe78
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #179: net1.exe
17 0
»
Information Value
ID #179
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8e4
Parent PID 0xdb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137873 True 1
Fn
Process #180: net1.exe
17 0
»
Information Value
ID #180
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9c0
Parent PID 0xeb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 137811 True 1
Fn
Process #181: net.exe
0 0
»
Information Value
ID #181
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa74
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #182: net.exe
0 0
»
Information Value
ID #182
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #183: net1.exe
17 0
»
Information Value
ID #183
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbac
Parent PID 0xcf8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 138341 True 1
Fn
Process #184: net1.exe
17 0
»
Information Value
ID #184
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xcd4
Parent PID 0xcc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 138279 True 1
Fn
Process #185: net1.exe
17 0
»
Information Value
ID #185
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc18
Parent PID 0xe78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 138326 True 1
Fn
Process #186: net.exe
0 0
»
Information Value
ID #186
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #187: net.exe
0 0
»
Information Value
ID #187
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 764
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #188: net.exe
0 0
»
Information Value
ID #188
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x864
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #189: net1.exe
17 0
»
Information Value
ID #189
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0xbc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 424
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 138918 True 1
Fn
Process #190: net1.exe
17 0
»
Information Value
ID #190
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0xb6c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 138934 True 1
Fn
Process #191: net.exe
0 0
»
Information Value
ID #191
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb1c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #192: net.exe
0 0
»
Information Value
ID #192
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #193: net1.exe
17 0
»
Information Value
ID #193
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x938
Parent PID 0xba4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 94C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff350000 0xff382fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff350000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 139262 True 1
Fn
Process #194: net1.exe
17 0
»
Information Value
ID #194
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x590
Parent PID 0x864 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff350000 0xff382fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff350000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 139308 True 1
Fn
Process #195: net.exe
0 0
»
Information Value
ID #195
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #196: net.exe
0 0
»
Information Value
ID #196
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 658
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #197: net1.exe
17 0
»
Information Value
ID #197
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x874
Parent PID 0xf94 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbd0000 0xffc02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 139605 True 1
Fn
Process #198: net1.exe
17 0
»
Information Value
ID #198
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xa74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbd0000 0xffc02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 139620 True 1
Fn
Process #199: net1.exe
17 0
»
Information Value
ID #199
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x5ac
Parent PID 0xb1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 854
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbd0000 0xffc02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 139636 True 1
Fn
Process #200: net.exe
0 0
»
Information Value
ID #200
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #201: net.exe
0 0
»
Information Value
ID #201
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3b8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #202: net.exe
0 0
»
Information Value
ID #202
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #203: net1.exe
17 0
»
Information Value
ID #203
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb54
Parent PID 0xb48 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140088 True 1
Fn
Process #204: net.exe
0 0
»
Information Value
ID #204
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #205: net.exe
0 0
»
Information Value
ID #205
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 810
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #206: net1.exe
17 0
»
Information Value
ID #206
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0x828 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140525 True 1
Fn
Process #207: net1.exe
17 0
»
Information Value
ID #207
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0x91c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140369 True 1
Fn
Process #208: net1.exe
17 0
»
Information Value
ID #208
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb18
Parent PID 0x3b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140385 True 1
Fn
Process #209: net1.exe
17 0
»
Information Value
ID #209
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xae4
Parent PID 0xaa0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140385 True 1
Fn
Process #210: net.exe
0 0
»
Information Value
ID #210
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x98c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #211: net.exe
0 0
»
Information Value
ID #211
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa9c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 998
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #212: net.exe
0 0
»
Information Value
ID #212
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xad8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 528
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #213: net.exe
0 0
»
Information Value
ID #213
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa64
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #214: net1.exe
17 0
»
Information Value
ID #214
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd00
Parent PID 0x98c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 540
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140962 True 1
Fn
Process #215: net1.exe
17 0
»
Information Value
ID #215
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:20, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x820
Parent PID 0xadc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 140915 True 1
Fn
Process #216: net1.exe
17 0
»
Information Value
ID #216
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbc0
Parent PID 0x9a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 141243 True 1
Fn
Process #217: net.exe
0 0
»
Information Value
ID #217
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6e8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 474
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #218: net.exe
0 0
»
Information Value
ID #218
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa88
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #219: net1.exe
17 0
»
Information Value
ID #219
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbd0
Parent PID 0xa64 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 928
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 141804 True 1
Fn
Process #220: net1.exe
17 0
»
Information Value
ID #220
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0xad8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 141633 True 1
Fn
Process #221: net1.exe
17 0
»
Information Value
ID #221
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbb8
Parent PID 0xa9c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 141680 True 1
Fn
Process #222: net.exe
0 0
»
Information Value
ID #222
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #223: net.exe
0 0
»
Information Value
ID #223
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #224: net1.exe
17 0
»
Information Value
ID #224
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfdc
Parent PID 0xa88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff090000 0xff0c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff090000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142054 True 1
Fn
Process #225: net1.exe
17 0
»
Information Value
ID #225
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0x6e8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff090000 0xff0c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff090000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142070 True 1
Fn
Process #226: net.exe
0 0
»
Information Value
ID #226
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7ac
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #227: net.exe
0 0
»
Information Value
ID #227
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd28
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #228: net.exe
0 0
»
Information Value
ID #228
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #229: net1.exe
17 0
»
Information Value
ID #229
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd80
Parent PID 0xab0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142382 True 1
Fn
Process #230: net.exe
0 0
»
Information Value
ID #230
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe1c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #231: net.exe
0 0
»
Information Value
ID #231
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc58
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #232: net1.exe
17 0
»
Information Value
ID #232
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xebc
Parent PID 0x9b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff40000 0xfff72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142818 True 1
Fn
Process #233: net1.exe
17 0
»
Information Value
ID #233
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0x7ac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff40000 0xfff72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142850 True 1
Fn
Process #234: net1.exe
17 0
»
Information Value
ID #234
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x958
Parent PID 0xd28 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff40000 0xfff72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142709 True 1
Fn
Process #235: net1.exe
17 0
»
Information Value
ID #235
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0xaa4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff40000 0xfff72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 142725 True 1
Fn
Process #236: net.exe
0 0
»
Information Value
ID #236
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xac0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #237: net.exe
0 0
»
Information Value
ID #237
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #238: net.exe
0 0
»
Information Value
ID #238
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6f8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #239: net1.exe
17 0
»
Information Value
ID #239
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xe1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143193 True 1
Fn
Process #240: net.exe
0 0
»
Information Value
ID #240
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf1c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #241: net1.exe
17 0
»
Information Value
ID #241
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xce8
Parent PID 0xc58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 850
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143318 True 1
Fn
Process #242: net.exe
0 0
»
Information Value
ID #242
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #243: net1.exe
17 0
»
Information Value
ID #243
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd68
Parent PID 0xac0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143552 True 1
Fn
Process #244: net1.exe
17 0
»
Information Value
ID #244
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0xba8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143520 True 1
Fn
Process #245: net.exe
0 0
»
Information Value
ID #245
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xed4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #246: net.exe
0 0
»
Information Value
ID #246
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe34
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #247: net.exe
0 0
»
Information Value
ID #247
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdc4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #248: net1.exe
17 0
»
Information Value
ID #248
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x260
Parent PID 0xf1c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe50000 0xffe82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143879 True 1
Fn
Process #249: net1.exe
17 0
»
Information Value
ID #249
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0x6f8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe50000 0xffe82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 143910 True 1
Fn
Process #250: net.exe
0 0
»
Information Value
ID #250
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf18
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #251: net.exe
0 0
»
Information Value
ID #251
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #252: net1.exe
17 0
»
Information Value
ID #252
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb60
Parent PID 0xdc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 144394 True 1
Fn
Process #253: net1.exe
17 0
»
Information Value
ID #253
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x32c
Parent PID 0xdb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 144503 True 1
Fn
Process #254: net.exe
0 0
»
Information Value
ID #254
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #255: net1.exe
17 0
»
Information Value
ID #255
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0xed4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 144566 True 1
Fn
Process #256: net1.exe
19 0
»
Information Value
ID #256
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe4c
Parent PID 0xe34 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (4)
»
Operation Additional Information Success Count Logfile
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 144628 True 1
Fn
Process #257: net.exe
0 0
»
Information Value
ID #257
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x970
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #258: net.exe
0 0
»
Information Value
ID #258
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x690
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 834
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #259: net1.exe
17 0
»
Information Value
ID #259
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9cc
Parent PID 0x940 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 974
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145096 True 1
Fn
Process #260: net1.exe
17 0
»
Information Value
ID #260
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xf18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 95C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 145018 True 1
Fn
Process #261: net1.exe
20 0
»
Information Value
ID #261
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf9c
Parent PID 0x8c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 838
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 44 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 145034 True 1
Fn
Process #262: net.exe
0 0
»
Information Value
ID #262
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #263: net.exe
0 0
»
Information Value
ID #263
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf88
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #264: net1.exe
17 0
»
Information Value
ID #264
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xeac
Parent PID 0x690 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145486 True 1
Fn
Process #265: net1.exe
17 0
»
Information Value
ID #265
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8f4
Parent PID 0x970 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7e0000 0xff812fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145408 True 1
Fn
Process #266: net.exe
0 0
»
Information Value
ID #266
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1e0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #267: net.exe
0 0
»
Information Value
ID #267
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6ec
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #268: net1.exe
17 0
»
Information Value
ID #268
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0xaf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff840000 0xff872fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff840000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145798 True 1
Fn
Process #269: net1.exe
17 0
»
Information Value
ID #269
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xf88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff840000 0xff872fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff840000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145829 True 1
Fn
Process #270: net.exe
0 0
»
Information Value
ID #270
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf80
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #271: net.exe
0 0
»
Information Value
ID #271
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc8c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #272: net1.exe
17 0
»
Information Value
ID #272
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0x1e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff650000 0xff682fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff650000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146094 True 1
Fn
Process #273: net.exe
0 0
»
Information Value
ID #273
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #274: net.exe
0 0
»
Information Value
ID #274
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #275: net1.exe
17 0
»
Information Value
ID #275
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x6ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146453 True 1
Fn
Process #276: net.exe
0 0
»
Information Value
ID #276
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #277: net1.exe
17 0
»
Information Value
ID #277
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xea8
Parent PID 0xf80 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146547 True 1
Fn
Process #278: net.exe
0 0
»
Information Value
ID #278
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe5c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #279: net1.exe
17 0
»
Information Value
ID #279
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xda0
Parent PID 0xc8c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146812 True 1
Fn
Process #280: net1.exe
17 0
»
Information Value
ID #280
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0xea0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146828 True 1
Fn
Process #281: net1.exe
17 0
»
Information Value
ID #281
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x90c
Parent PID 0xcf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4480000 0x7fef4491fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 146968 True 1
Fn
Process #282: net.exe
0 0
»
Information Value
ID #282
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x24c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #283: net.exe
0 0
»
Information Value
ID #283
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd58
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #284: net.exe
0 0
»
Information Value
ID #284
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #285: net.exe
0 0
»
Information Value
ID #285
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xecc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #286: net1.exe
17 0
»
Information Value
ID #286
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0xe5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 147545 True 1
Fn
Process #287: net1.exe
17 0
»
Information Value
ID #287
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x578
Parent PID 0xfa4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 948
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 147592 True 1
Fn
Process #288: net1.exe
17 0
»
Information Value
ID #288
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfb8
Parent PID 0xd58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 147670 True 1
Fn
Process #289: net.exe
0 0
»
Information Value
ID #289
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x94c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #290: net1.exe
17 0
»
Information Value
ID #290
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x988
Parent PID 0xecc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2d0000 0xff302fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148060 True 1
Fn
Process #291: net1.exe
17 0
»
Information Value
ID #291
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0xe48 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2d0000 0xff302fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 147966 True 1
Fn
Process #292: net1.exe
17 0
»
Information Value
ID #292
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x848
Parent PID 0x24c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2d0000 0xff302fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 147982 True 1
Fn
Process #293: net.exe
0 0
»
Information Value
ID #293
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #294: net.exe
0 0
»
Information Value
ID #294
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x878
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #295: net1.exe
17 0
»
Information Value
ID #295
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaac
Parent PID 0x94c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff220000 0xff252fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff220000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148356 True 1
Fn
Process #296: net.exe
0 0
»
Information Value
ID #296
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #297: net.exe
0 0
»
Information Value
ID #297
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x344
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #298: net1.exe
17 0
»
Information Value
ID #298
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0x878 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc90000 0xffcc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148637 True 1
Fn
Process #299: net1.exe
17 0
»
Information Value
ID #299
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb10
Parent PID 0x874 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc90000 0xffcc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148590 True 1
Fn
Process #300: net.exe
0 0
»
Information Value
ID #300
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #301: net.exe
0 0
»
Information Value
ID #301
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 858
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #302: net1.exe
17 0
»
Information Value
ID #302
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0x344 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148918 True 1
Fn
Process #303: net1.exe
17 0
»
Information Value
ID #303
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb74
Parent PID 0xba0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148934 True 1
Fn
Process #304: net.exe
0 0
»
Information Value
ID #304
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #305: net.exe
0 0
»
Information Value
ID #305
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 78C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #306: net1.exe
17 0
»
Information Value
ID #306
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8e0
Parent PID 0xbf8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 149386 True 1
Fn
Process #307: net1.exe
17 0
»
Information Value
ID #307
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xac8
Parent PID 0xb24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 149339 True 1
Fn
Process #308: net.exe
0 0
»
Information Value
ID #308
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x740
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #309: net.exe
0 0
»
Information Value
ID #309
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x82c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #310: net1.exe
17 0
»
Information Value
ID #310
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0xaa0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 658
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 149745 True 1
Fn
Process #311: net1.exe
17 0
»
Information Value
ID #311
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x274
Parent PID 0x964 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 149807 True 1
Fn
Process #312: net.exe
0 0
»
Information Value
ID #312
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #313: net.exe
0 0
»
Information Value
ID #313
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_filter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #314: net.exe
0 0
»
Information Value
ID #314
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x540
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #315: net1.exe
20 0
»
Information Value
ID #315
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x98c
Parent PID 0x82c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc50000 0xffc82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 70 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SSTPSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150182 True 1
Fn
Process #316: net1.exe
17 0
»
Information Value
ID #316
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd98
Parent PID 0x740 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc50000 0xffc82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150228 True 1
Fn
Process #317: net.exe
0 0
»
Information Value
ID #317
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x810
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #318: net.exe
0 0
»
Information Value
ID #318
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #319: net1.exe
17 0
»
Information Value
ID #319
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xad8
Parent PID 0x540 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150712 True 1
Fn
Process #320: net1.exe
17 0
»
Information Value
ID #320
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b0
Parent PID 0xb44 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 93C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150618 True 1
Fn
Process #321: net1.exe
17 0
»
Information Value
ID #321
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_filter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x928
Parent PID 0x9d8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150587 True 1
Fn
Process #322: net.exe
0 0
»
Information Value
ID #322
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc3c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #323: net.exe
0 0
»
Information Value
ID #323
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #324: net.exe
0 0
»
Information Value
ID #324
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfb4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 65C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #325: net1.exe
17 0
»
Information Value
ID #325
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf20
Parent PID 0x810 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff830000 0xff862fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff830000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151071 True 1
Fn
Process #326: net.exe
0 0
»
Information Value
ID #326
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x688
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #327: net1.exe
17 0
»
Information Value
ID #327
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xcfc
Parent PID 0xdd8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151539 True 1
Fn
Process #328: net.exe
0 0
»
Information Value
ID #328
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd8c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #329: net1.exe
17 0
»
Information Value
ID #329
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe8c
Parent PID 0xfb4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151601 True 1
Fn
Process #330: net1.exe
17 0
»
Information Value
ID #330
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0xc3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 958
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151617 True 1
Fn
Process #331: net1.exe
17 0
»
Information Value
ID #331
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xab0
Parent PID 0x81c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151508 True 1
Fn
Process #332: net.exe
0 0
»
Information Value
ID #332
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x994
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #333: net.exe
0 0
»
Information Value
ID #333
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xebc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #334: net1.exe
20 0
»
Information Value
ID #334
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0xd8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 60 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = UI0DETECT True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 151898 True 1
Fn
Process #335: net1.exe
17 0
»
Information Value
ID #335
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0x688 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152100 True 1
Fn
Process #336: net1.exe
17 0
»
Information Value
ID #336
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd20
Parent PID 0xebc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffca0000 0xffcd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffca0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152444 True 1
Fn
Process #337: net1.exe
17 0
»
Information Value
ID #337
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf50
Parent PID 0x994 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffca0000 0xffcd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffca0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152631 True 1
Fn
Process #338: net.exe
0 0
»
Information Value
ID #338
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x798
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #339: net.exe
0 0
»
Information Value
ID #339
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf7c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 850
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #340: net.exe
0 0
»
Information Value
ID #340
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #341: net.exe
0 0
»
Information Value
ID #341
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #342: net.exe
0 0
»
Information Value
ID #342
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 918
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #343: net1.exe
17 0
»
Information Value
ID #343
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x7f8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffab0000 0xffae2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffab0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153052 True 1
Fn
Process #344: net1.exe
17 0
»
Information Value
ID #344
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb0
Parent PID 0xf7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffab0000 0xffae2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffab0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152990 True 1
Fn
Process #345: net1.exe
17 0
»
Information Value
ID #345
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf78
Parent PID 0x798 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffab0000 0xffae2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffab0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153068 True 1
Fn
Process #346: net.exe
0 0
»
Information Value
ID #346
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe24
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #347: net.exe
0 0
»
Information Value
ID #347
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe14
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #348: net1.exe
17 0
»
Information Value
ID #348
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0x8a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153364 True 1
Fn
Process #349: net1.exe
17 0
»
Information Value
ID #349
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd10
Parent PID 0xfac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153364 True 1
Fn
Process #350: net.exe
0 0
»
Information Value
ID #350
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 240
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #351: net.exe
0 0
»
Information Value
ID #351
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe10
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #352: net1.exe
17 0
»
Information Value
ID #352
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x954
Parent PID 0xe14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 95C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb50000 0xffb82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153754 True 1
Fn
Process #353: net1.exe
17 0
»
Information Value
ID #353
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x710
Parent PID 0xe24 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 838
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb50000 0xffb82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 153770 True 1
Fn
Process #354: net.exe
0 0
»
Information Value
ID #354
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x974
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #355: net.exe
0 0
»
Information Value
ID #355
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9cc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #356: net1.exe
17 0
»
Information Value
ID #356
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf34
Parent PID 0xe10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154113 True 1
Fn
Process #357: net1.exe
17 0
»
Information Value
ID #357
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbfc
Parent PID 0xf48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 990
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154378 True 1
Fn
Process #358: net.exe
0 0
»
Information Value
ID #358
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 890
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #359: net.exe
0 0
»
Information Value
ID #359
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x834
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 970
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #360: net1.exe
20 0
»
Information Value
ID #360
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf68
Parent PID 0x9cc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154518 True 1
Fn
Process #361: net1.exe
17 0
»
Information Value
ID #361
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x690
Parent PID 0x974 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154487 True 1
Fn
Process #362: net.exe
0 0
»
Information Value
ID #362
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd78
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #363: net.exe
0 0
»
Information Value
ID #363
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe40
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #364: net1.exe
17 0
»
Information Value
ID #364
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc30
Parent PID 0x940 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4d0000 0xff502fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154971 True 1
Fn
Process #365: net.exe
0 0
»
Information Value
ID #365
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #366: net1.exe
17 0
»
Information Value
ID #366
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x920
Parent PID 0x834 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 155174 True 1
Fn
Process #367: net1.exe
17 0
»
Information Value
ID #367
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd54
Parent PID 0xd78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 155298 True 1
Fn
Process #368: net.exe
0 0
»
Information Value
ID #368
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #369: net.exe
0 0
»
Information Value
ID #369
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf10
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #370: net.exe
0 0
»
Information Value
ID #370
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd14
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #371: net1.exe
17 0
»
Information Value
ID #371
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x6ec
Parent PID 0xe2c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 155626 True 1
Fn
Process #372: net1.exe
17 0
»
Information Value
ID #372
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd70
Parent PID 0xe40 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa20000 0xffa52fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 155564 True 1
Fn
Process #373: net.exe
0 0
»
Information Value
ID #373
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5f0
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 640
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #374: net.exe
0 0
»
Information Value
ID #374
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc48
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #375: net1.exe
17 0
»
Information Value
ID #375
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc8c
Parent PID 0xd14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156063 True 1
Fn
Process #376: net1.exe
17 0
»
Information Value
ID #376
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0xe08 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156094 True 1
Fn
Process #377: net1.exe
17 0
»
Information Value
ID #377
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xea0
Parent PID 0xf10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156125 True 1
Fn
Process #378: net.exe
0 0
»
Information Value
ID #378
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 880
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #379: net1.exe
17 0
»
Information Value
ID #379
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x69c
Parent PID 0x5f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff00000 0xfff32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156344 True 1
Fn
Process #380: net.exe
0 0
»
Information Value
ID #380
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x424
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #381: net.exe
0 0
»
Information Value
ID #381
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd4c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #382: net.exe
0 0
»
Information Value
ID #382
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x578
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #383: net1.exe
17 0
»
Information Value
ID #383
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0xc48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156656 True 1
Fn
Process #384: net.exe
0 0
»
Information Value
ID #384
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #385: net1.exe
17 0
»
Information Value
ID #385
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe1c
Parent PID 0xcc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157171 True 1
Fn
Process #386: net1.exe
17 0
»
Information Value
ID #386
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc58
Parent PID 0xd4c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157217 True 1
Fn
Process #387: net1.exe
20 0
»
Information Value
ID #387
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xac0
Parent PID 0x578 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 55 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = NETMSMQACTIVATOR True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157280 True 1
Fn
Process #388: net1.exe
17 0
»
Information Value
ID #388
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe0
Parent PID 0x424 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157093 True 1
Fn
Process #389: net.exe
0 0
»
Information Value
ID #389
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 32C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #390: net.exe
0 0
»
Information Value
ID #390
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #391: net1.exe
17 0
»
Information Value
ID #391
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe34
Parent PID 0xedc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 938
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157607 True 1
Fn
Process #392: net.exe
0 0
»
Information Value
ID #392
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc74
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #393: net.exe
0 0
»
Information Value
ID #393
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #394: net1.exe
17 0
»
Information Value
ID #394
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0xf14 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffe0000 0x100012fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffe0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 157888 True 1
Fn
Process #395: net1.exe
17 0
»
Information Value
ID #395
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0xb3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffe0000 0x100012fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffe0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158044 True 1
Fn
Process #396: net.exe
0 0
»
Information Value
ID #396
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf5c
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #397: net.exe
0 0
»
Information Value
ID #397
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe68
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #398: net1.exe
17 0
»
Information Value
ID #398
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7f0
Parent PID 0xc74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 94C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158294 True 1
Fn
Process #399: net1.exe
17 0
»
Information Value
ID #399
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0x7e4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158497 True 1
Fn
Process #400: net.exe
0 0
»
Information Value
ID #400
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9bc
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #401: net.exe
0 0
»
Information Value
ID #401
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x818
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #402: net.exe
0 0
»
Information Value
ID #402
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf4
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #403: net.exe
0 0
»
Information Value
ID #403
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x488
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #404: net1.exe
17 0
»
Information Value
ID #404
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0xf5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158887 True 1
Fn
Process #405: net1.exe
17 0
»
Information Value
ID #405
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x89c
Parent PID 0xe68 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158918 True 1
Fn
Process #406: net1.exe
20 0
»
Information Value
ID #406
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf54
Parent PID 0xbf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 344
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 158949 True 1
Fn
Process #407: net.exe
0 0
»
Information Value
ID #407
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa74
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #408: net1.exe
17 0
»
Information Value
ID #408
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa6c
Parent PID 0x9bc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 159261 True 1
Fn
Process #409: net1.exe
17 0
»
Information Value
ID #409
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9c8
Parent PID 0x818 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8f20000 0x7fef8f31fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 159277 True 1
Fn
Process #410: net.exe
0 0
»
Information Value
ID #410
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf8
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #411: net.exe
0 0
»
Information Value
ID #411
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff870000 0xff88bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #412: cmd.exe
59 0
»
Information Value
ID #412
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x840
Parent PID 0x910 (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c40000 0x01c40000 0x01f82fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01f90000 0x0225efff Memory Mapped File r False False False -
cmd.exe 0x4a710000 0x4a768fff Memory Mapped File rwx True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef8f40000 0x7fef8f47fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0x9c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a710000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77550000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77566d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x775623d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77558290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x775617e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160119 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #413: dwm.exe
21757 0
»
Information Value
ID #413
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:39, Reason: Injection
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0x448
Parent PID 0x33c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A60
0x 32C
0x 460
0x 454
0x 44C
0x B50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00112fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x00337fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x00352fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00600fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x01a0ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001a10000 0x01a10000 0x01e02fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x01e10000 0x01e54fff Memory Mapped File r False False False -
private_0x0000000001e70000 0x01e70000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory rw True False False -
pagefile_0x0000000001f80000 0x01f80000 0x0205efff Pagefile Backed Memory r True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
private_0x0000000002170000 0x02170000 0x021effff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x0000000002410000 0x02410000 0x0248ffff Private Memory rw True False False -
sortdefault.nls 0x02490000 0x0275efff Memory Mapped File r False False False -
private_0x0000000002760000 0x02760000 0x02854fff Private Memory rw True False False -
private_0x0000000002870000 0x02870000 0x028effff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
dwm.exe 0xff310000 0xff332fff Memory Mapped File rwx False False False -
private_0x000000013f060000 0x13f060000 0x13f095fff Private Memory rwx True False False -
dxgi.dll 0x7fefa700000 0x7fefa7a6fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7fefa7b0000 0x7fefa804fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x7fefa810000 0x7fefa843fff Memory Mapped File rwx False False False -
dwmcore.dll 0x7fefa850000 0x7fefa9e1fff Memory Mapped File rwx False False False -
dwmredir.dll 0x7fefa9f0000 0x7fefaa16fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fefb970000 0x7fefba99fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefc960000 0x7fefc97dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefd8c0000 0x7fefd8f9fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f060000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f0619a0 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\ProgramData\RyukReadMe.txt 2.00 KB MD5: 1e5d393290c87f1ccc62a1d3f89caf47
SHA1: 87e6f98deeca6ed2ff27e7bfe8dd306b09bab088
SHA256: 5971bf3131a292583967ee2ff687e7bf135930fe2bf5df76c6058852abdb7ace
SSDeep: 48:ZpUoHkwB1kkerTWOU+pbwsl4id2niFclWgqnddhLDAb3SvZl:Z6ckRM+Jtron6cAgqndL3AsZl 		False
...
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.05 KB MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SSDeep: 3:/lE7L6N:+L6N 		False
...
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE 1.41 KB MD5: f22186973841401a70277250dbeef346
SHA1: 34cca504a460a77da3b937c85f6dd8ea64e4dea1
SHA256: 1de15421cf2aecb17166b630867ba5a9718e3825e0b29847244c24e124de961d
SSDeep: 24:a2BL4t+DFLC6FxrrHwImjRzykdOTTKmpLBsEG8sr0z/9N38V9sC6ksy:acLxC6vrrHyYMyKmpLBsEG8RH388uf 		False
...
C:\users\Public\PUBLIC 0.27 KB MD5: c60821cc4336f6453f9dc5453d8f0b7d
SHA1: 09719d9251a7ec8f4c809f4c4377ae48a1629d3a
SHA256: df506e1f6cba7dbcad75cebde8340000b3181409fa672f971825c2c06ec764a1
SSDeep: 6:mtNSbTDfsAH1p8r5iyN7Y+BogRdulAjrsNM5rJMb5R9jiyKn:YiTrXHP8r8jNKdu3M65vjRK 		False
...
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: a41dd4ceb540dbe31d9e0f6f26d42b04
SHA1: 68279efe1f6e510f771554ec601079649ed70c98
SHA256: 02aa3186c5b694ecc62f8bca5363d8983400ac4f9312510dee94f61577924781
SSDeep: 6:C2M0wkbSUxRZnxk92jUWSX25PxXkxz8rLDeXuy4Qwl5TgZcwJnWAJn:pO4SaZxhVsSPxUyPDe+dQwluhn 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 2.00 KB MD5: 3d605d0c6cd7a48160150c467aa83dac
SHA1: 5a1331867693742c4f25c07b7cada4436e2796d1
SHA256: f684902b051ffb0b7f724ae1ac0ce0a8b07d0278491a59d0869bd009182c6c67
SSDeep: 48:j+RRUQOn/T3nQ6d97c4w8qba/OvF77rXQoyB5Xx:jmk/T3nQgvMa2vF/DQvB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.manifest 1.63 KB MD5: fa5fb1800a9908bd73270edb68dad948
SHA1: a3639e6477b5abc9b80b3ff68cbdfb4dff1ad2f8
SHA256: fc7aa7840075d192bc3f60dbe2d8d37df2b6ecbca1fba57e0b53a6cc72811c6a
SSDeep: 48:HJLiPMEi05JP1vwLhtsUxNmVXPIO/bkWRGkPyVN:p+iYP1vwLzUXgO/DR1PMN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.72 KB MD5: 3635c246ecec600bf3665864edd896b2
SHA1: 5c3e688706fbc585c9cb4a7f837ca2ea05afffe6
SHA256: 490c4cd4603f7875062de62fdc271fb54d62aeb49ababd73c0cbd1daae5a0b94
SSDeep: 12:ljdTHalC02u9CA9tl64vfEZHZ65BBu0lFAJORAQ/oqeG/DXCcdkBLrZT6c1QQQVN:lh57uPtHv8dZMJsJ2KbGbpyLV6AAmPoL 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms 28.28 KB MD5: 491899f95a074ab8c3e34fda0abd348a
SHA1: cf43934331a3a79863a4332ea5f4ec95f1c449df
SHA256: 71615f4595365e5353cbab77c3f7d894cd6c96bd23c107698177d7eb16776461
SSDeep: 768:rSZmRamfgNgEwQYvtLxeaiEahLJuyHKjfR:r5+NgEqVxjmLJrHg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 0.81 KB MD5: 3039cf2b8cde958de9e1f4c1f97026da
SHA1: 6970a9ba57aae936005b3d912c1d43f412d0ca16
SHA256: f5f9b3f7cd0a111e8159ce8d3179b8b94ae97b6c1e69bcdef8304effd9181c48
SSDeep: 24:3/wDAV9GVqj24HnLpBJpgDW4N7gyFCIP2lc:3/mAV983InLTJpgDW4RKlc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wsRGB.icc 2.89 KB MD5: 0ccdafd14e8991300bb5a59c6125bb8c
SHA1: 329240481c6201b9c527e8544fdd73e34224bdaf
SHA256: 03b99e298e48aabcdfa1eae3ca6e6ebdbc7a1d98fc8b1a0661269643935fd191
SSDeep: 48:PnyBJ1k7IeG52dqvsoL3g2wp5OCHJMRbhbjRBgkYwWLlwLf3KP7XmxLoWtnf:2Jm7Ir2kEh2K/EjRBELaLf6TUsq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: 794e16ded59752de05feec7d906199ec
SHA1: c127af47c41f90dff72ad01e65f7dcfc49889867
SHA256: cc2b70fdfd6aca275527ec7a450a03c9d9cde749354af486bdd9684d0555f03d
SSDeep: 24:cHnzRX2zBji0g+uAe/LMF3oA1fqItsdJpWs1c:cHzAzBjHpe/Le51fqI+Jppc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.74 KB MD5: c31cbe703a16d8d23a96fee29fdf02d8
SHA1: 8eea9883bd0957ec2035792f5b6e8fc679ae117c
SHA256: 65c41594729398866bd9e0dd28c92564f4ece402993713df61cbedcfe92cabf5
SSDeep: 12:oUP3s/mgFoWney9lYGHEKw950QtWdMicy/tO1JZdoGJ9SLPTUE4X7YuttxJCBKq0:oUfs/mdWnT9lVHBwMdn7FO45YTptF4h0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\x7hbSg-AIke.bmp 99.66 KB MD5: 27a2ae72399aef777a68ea1633c242fe
SHA1: 9e516c30c8e43a4958302d1fe1d21e0204067685
SHA256: aa381eec2b6762c5dc9a595e41e25f4260a34efb4fe6a9afbeab3f22a86b7ec3
SSDeep: 3072:sjkY+mKT8M8ol0o/u45+tS6KFuJuftgT8o5wEi3s:/7vuS7ugtgAmic 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.74 KB MD5: 1729d6af8837f7ee92933d1f7bb8943e
SHA1: 90d3b919da37258850f64ceb1ff15c1068b96e28
SHA256: aee124201566eeb6cef2ec90dede1900d47da7668f920a734d23a0f38077bb86
SSDeep: 12:ekjcY71KQhMoEXw5lLXXHdQaNI1i6xCXyjANpcv3Wh1J578pjMTa1VGTjb5aKuuU:ZAYJCA5lZQaNIpjAW+J5Ix2a1Ixlo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.66 KB MD5: 548a8a2f03e32327f0951d8e3a03d9e6
SHA1: 8e72baac876c9dd3a2e0b8bf3a02ee349ec59bd2
SHA256: ed9a048947905b0757111f771a2215d40ff253cfc41d6144f5575e47355cfdda
SSDeep: 12:bwmS7pN3ndjLJR8xkjTWQajHzG6BdoBaWwuWDM8dKGroA6d1ksP2Yp:cNlNXdj4kjTWQozG6LoTwu6/rx6d1ksX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: 55b6f796c6b1f161b6078432d6c54047
SHA1: c72eb96b8d4e9f10357b3ce4e2bb8fb3c7269942
SHA256: 2fce0e21f2c975444dabe25332787d941f9b596e9e6c46c48870f54486b15f22
SSDeep: 48:koXzUA5ZbP6yHMPMOvBb0fAPQ3vQf0avclvfiBe+CqGNdS:kcUM760MPdvifSQ3vEUfce+iS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 0.78 KB MD5: 62618cfe2aab3636d1cbc70342ebbec0
SHA1: f2a6844c7cfdd615bd55778ffb79ad9c2d43f485
SHA256: 108a47c21fd98fc3e858d008b2a8cf8004899ce77c1a4b04bc5109d63e18b02e
SSDeep: 24:mJxP2JCB9ZkOBD12l3njEkp8/mTTExnUMQ2s:mS+bL2lQkp8/mXYnUMK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms 32.28 KB MD5: 7aa8142e8c29dc10a494408747a66e37
SHA1: 8df95cfa1559f535ed489e2733db9f376739486b
SHA256: 61af1e57499445072a87a14c935f21f075bd201516762a591f84a2e480b58507
SSDeep: 768:YQyAqcyT+cjzkjiKlcK0kNCgWorJCiipVoxlHqhp4JqLFW6E3d:YnRTbzk/c6SosiiklHqhuJb5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.67 KB MD5: 5f0072213d5e1eaa9fc650e3130f03f4
SHA1: beed0caeeb04cc8d915b178dc9ed519bcb219a92
SHA256: 34adfce0f84f944b100768878ac64d6eb4e1e8ab3663d41e603b507ef3947aa5
SSDeep: 12:8QAQBitmc126ZOKJ19ZlVdMNlGVz//8x4D1mkRnWSs6rss2s7e4ucdYNFqGYDgAJ:PwmVlKJnpdMNKswmAWt6VH7uctg6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: ab820eddda12276654a5be2eccb4d4e4
SHA1: a8fed6f11b589c3425bcb992528aa56b3a6ad1a6
SHA256: 198245fa192dadf46c8f09490b66d5cf12f70ac9c06e0bef5046a323dca80c17
SSDeep: 48:hwPgrY6RDHJz/j+EApSsxKuGoLvDOhDAsoi:xlDHJjj+5eutiJAsh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Vzdyixuson.flv 88.41 KB MD5: 8ec0cd56e5c732a3e3f75f4569bb53b9
SHA1: 1c5f59223d8dfc57fecb574c76548f75dcbc0d9c
SHA256: b534768c06136b6108a18fe61141f930181f82254a64b5decdbedfc5177d4f8d
SSDeep: 1536:5yr6eOxYykMWZZJQixgM0kOX7XWBViKt9I4ed0ocQFAijjk4hkNhPXlbBDbMcyxt:8r5OFbWZnCNCVP+4rocQuisgkNRlb9MF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\VkZynCnq6y0.png 88.00 KB MD5: b39ac30ce0f6cd9abb43843c3c5df9f5
SHA1: 5bde97d00c1db50142beab748075fb50bd46ef1d
SHA256: ff4833e3021c73758bde909dcd221c5441ae5f55e5268f5dcb62e9dd69eac427
SSDeep: 1536:3auCCNE/74o1vYizEReqnNoCR1vcsi6ziX4Qc8w8wqsiK7KATJ2gA2x6qcbv:3lCSEMoWReqLRlcsCc316AT8gzrW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD 128.28 KB MD5: 70228201d48d10e64460066b35eef99d
SHA1: 0f628e67044b765b8fe1a9c926f8ff5f651907ed
SHA256: e336be27d85b2a64d54bf40df60fd9702412bf8e10bbc92c7b6d1b1dfec8e84f
SSDeep: 3072:p5U2ah7acyNZQT2nFcjYcZBvth6K/0KGWz4MyUnJPpupRq7S:nIhecyNs2FAf6KsNWzjycPpupRqW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF 0.39 KB MD5: beb5c162657c1ab016833682cb8ab9c9
SHA1: 71c40ef4b25bcbd35bdc8a2fe30175a76bf6cd9d
SHA256: 52a0eb85ad4d78570e1581ebe966c75c2e03fca3f255ed8380f19dda7e266ba3
SSDeep: 12:EAxiyAZ8Ze2Fp8HI2CKAlKY0KvXfY+beaWIQSvQ:EUiT2ejo2ElKSP/4I3vQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\AP56ujxo.gif 89.33 KB MD5: 9a7e3e3e53c7cc79995126128308ccc8
SHA1: a66e67cff23bbe3cc0371519377f940110ca5f0b
SHA256: 8d1fd2055f884095ff0566e1fbce3ee366d9f4796bd7dbbd7a83d0474390860d
SSDeep: 1536:TbNXtJAFSHYybnfF7fnn2A7U5fIvzM+ndhahYxj0ISy7G7y1Rq/eh82MOrVsEu6e:PNXtJAE4yjxn2AkCMQLaYxxG7y1R5hZm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 0.53 KB MD5: 202ff0dba0fd5e411c497878f4c95f82
SHA1: f5e979d2b09f8f129c609bb04f55618ec609031c
SHA256: 0338bece4d12c30d29ccb020f5e025f667e6bc3b34615dca23156699b90638fe
SSDeep: 12:RE+N+efm2161tBa5HWSPVtKoDvD/3VvSz9os42TJhAZXu:K/efmq5HWSPHDvD/3VNs42HIu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Xvfh8g056KKpbsL.odp 76.46 KB MD5: 7f7b3ee94140d15180babf890421ef7f
SHA1: 070ed386e379b0d62db535a4839990dbe365c2de
SHA256: ba222e7f5626fec8e2d4e43696e7ce366ac4236750063636b07705a9b84e761f
SSDeep: 1536:RbYkKOF2OkW8KgJJP1L2LdpnYuwzKeyaUz0+0f:REOUVZKRZxmzgdz0Rf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat 32.28 KB MD5: 76935818493bfa6688ce0fc0d9bde8ba
SHA1: e3b3e96c33748efc710ea25d678446a00d82bdef
SHA256: 856f64a613127957b9818aaea6e3975dca683a9c4f8fbc6802f53f8af7c8393a
SSDeep: 768:8BzPqEwwaU4mYhIYMMHTg/jt2w/gwx1A53B8tFK7CaoRmdc/GcJ:85yBweCig/lxm53qHKeaozJJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD 0.52 KB MD5: 0d00f7ad865bafa10be3102082e0c609
SHA1: dcebddb844e1afc6ca9ba1491059351794a3de0e
SHA256: f50924501a313ea4b9943f918debe2a06a594c8c63d75b2e70c2920204a760ca
SSDeep: 12:oqEfjxKUhkip1a0FR1YE0rTjg1bpNrv9bAeBEs:oljaiCU1YEsYRBbAds 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 2431da335864a207e5a2382d273abb67
SHA1: df9e92351a56959e64bf5bfb5913a8ca7bc7f4ac
SHA256: 53790ac20fd5e216ed20d70a55f7e9e87ffdd56be11c8cea1caa8eeb64c0f0ba
SSDeep: 48:+UdKCpCCuBg3V/Ob5LaOiSBdOnXfmwZC+sPD:+48aVU1aOlAX+wZC+sPD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.72 KB MD5: f2139b2028e9bc1219243f8fd1b0bb17
SHA1: 33462e009c3908891539e70c21f935b0e9b20a87
SHA256: aaa78f206ab62a8a0c5485734c0f41ad314cf45e37aace4afb5aca804c0bf88c
SSDeep: 12:cZVjBVaXMv3b4Pbxwde/ENqdNwymfNvC5y1smf0EiwwwbSgIocQ:yVjBA23+bmde/ok/4gmf0zvg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\content14.dat 99.50 KB MD5: 93287e33530167186a421f9e05ac4530
SHA1: 276d5c22035786f47c9ff767cf480f4e049a6c43
SHA256: 5d835e0c78073045ae1409ae34608626c6f2891f721f72a75cd1a3b78a7c0b80
SSDeep: 1536:m6h1A39wTP9V6riuACnAUrXw/bjyIXBhVTqPa/I/P8a5fZY2h9FJVyNkol7oFD+L:JIOT1JdCl4jxhua/i8y9vVyNkouBXSbV 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\ACECache11.lst 1.42 KB MD5: 694964e4a7e26777dcf067f5d60125e3
SHA1: 41c2a60183d3a8a16b0edbcb033257b6928d4038
SHA256: f1fc92f0d66a12dd0cbf37a994f4b3dee837865bdca05b1d1a4b9961f52d6ea4
SSDeep: 24:NpmJoRordGYYJIjDhb5xW5T0eIF/fi6Re5pQMouCOE+GuL5wYei406CW/5nQ9mgn:NpmJoRorsYYup54V0eIF3Z85CMNEV4br 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.72 KB MD5: e3c9974ffdde8ae9741439ee0992b184
SHA1: 188184f1efb9272cefacfcf179bd3297b091153e
SHA256: 9fd496c868beb14acf74939a5b2f33a57bef024da3147080c6cd8bcb8c6e976d
SSDeep: 12:NpEuMBHmmLy65OpenUqRCwTH85ssQm9oFY8zqMyof6s2OE:NYBHhLrOMnVfH85Qm9olGIv2OE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\QFHy94MFeo.swf 61.67 KB MD5: 54583375e97b279a010d1baf8ad2f03f
SHA1: 93e6eb1a5f5f634527e4217718c36bbc6896ce80
SHA256: 69e2de020d309926c05cfc78a4c903c0013b7b8be0d607e199608d1835ef1eef
SSDeep: 1536:a5zxb6DEowgFpt3jrfXQlhIvsRLvWNTfbpctOgj:a51m/wgFpt3PYfIE9eN/pctOgj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.66 KB MD5: a2dcbe0c2273ee43fd17b3665dbf7581
SHA1: 5adca1cddfe59f3231fa2d4c153c741dd02820ba
SHA256: f6bc109502ae3ef35e8105ff128a558c199eacdc9d8db341dc0a5d5203e95285
SSDeep: 12:Ytw7iucP362MGpTEsoQn5h9gdyzp9QKekkgSReCTYeQmQBNe3i+JW+i1uoNOHd9:Uw7iTPK2HT9n5hCgijTYjBwi3d13IT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\u M6M_AAd-mFBjkWfPBA.mp4 29.38 KB MD5: 6e4b05f063302388cf80ed71f0e88828
SHA1: 8cd44332fc3b216ca914f589a267da11e8a0005c
SHA256: 68cd2909c6b849eebb79319f3decb368b463d5cebc113e7f239420c4fa2fe14b
SSDeep: 768:irilUZWMvTgJRxHOjdr7AglRf8GFKv+RQLI1phO33QtLoQj:6YU5Ty8r1C+RFwneci 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 0.61 KB MD5: 075e23b4a99fe4c4b0a63cb619cc3cb5
SHA1: a9efce9d23fce8af706221ab94a7c6068444ef55
SHA256: 3e8f12d69b1a47351d0877199334ee5357723a10b8a15d500b2fca64fbfac9b2
SSDeep: 12:a1+NsIfLBhJCGfnKMphoiGSwr1cNtdkQhwpJz9BD639Wea72YAX2sD:wIPJFCMphgSwFJRp6NIpAX2sD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\treA-1QWjT.avi 69.27 KB MD5: acaa55a50d3d984c161f3378521389b5
SHA1: 195b9cea76e695201ee006f528673aed4069067e
SHA256: bc995048d251143a02f234850f3ed464bda09095eacfbe4c545017127c6dd126
SSDeep: 1536:mrOd1B8StyxuAQTMrZQwjP2NPe1LovZiP6lbYosRN2e4AYB57r/wdNCf:mrSv8StwueSESepovoPebYhvk4Q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD 128.28 KB MD5: b620f8a824c45a3b97b06a6ae508e7b7
SHA1: 5def0351c48981c06ceb7674676576f2929460b3
SHA256: 7e5e6d6f8c12a764121999d5175c2e284ef3b1a7b193adf0dbb3f9663a485706
SSDeep: 3072:Vnh48+Xili1XEK8v3koj+y5qIyju3CsY7lC5:9+Xio1l8v3VyjRL7s5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: 9cacc7e6f577d84a5889e5a3b5761201
SHA1: ff380f2b45b1c16375ae891a13d27a0ee65951ee
SHA256: 784000e4c517639d84f2b9d8962ae3020f475325b1d3de24d93139d4e3f9de4e
SSDeep: 768:TztVWm20fIZjWNiVVRghZ4Lx6gATRSa0XX2tO:33xi3RkZOxJATb01 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.31 KB MD5: 0e6a336580cefeb1bb90403797a52203
SHA1: ef11c57cf57fbaff8cd0e8fc340f2c5b364f0316
SHA256: 521990b3e383d0cf6620ed335be39de31d7ad5010c0db323f57ba04c256a390a
SSDeep: 6:J8kb6LS7Qw+zYp1LDhyBwVhJ45aNEmsCR38a0jqWGiQp7TNyjtn:Ji6Qw+zYp1L9yqhJN+Ll+vYjtn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 0.66 KB MD5: 21be652990f3b5a8c33b09e8caa8c1f0
SHA1: d0cd505de75ddac974d9ae274d2a56f1cb22b2ed
SHA256: d20ade01a59eb5ef18ce5ec293a6ad5857c6b126f8aa81d33005acd3124de97f
SSDeep: 12:LbiDjofMiPTyTO6QuFu7smwoTHHp+qfFPX4DlZCeMNNFGH1srPceM89sLH5+rb:/iDjc4QuFwsmwmHXolr6NS1sweJ9sYf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT 240.49 KB MD5: 630669e4207cfdfd9e28f19323fd9543
SHA1: dacbe5ba924acb6baea14622b66c334b60e4f807
SHA256: 39018ba3f7c77d5f91b43610cd9007c8dbbf63817d73c97b298d1e1695c595b8
SSDeep: 6144:KIMkY0gUHMUBhmx+f5+jKiBqm6ndEuYr1CMpDLQMk/E58:KIMZVoBhEK5+H6dEuk33QMksy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: 9b254fc7422f54ec07b04f63fb4cf579
SHA1: f829b71711d80f673cccea439bf50f2236ec9d97
SHA256: 4cdc29c02663acdcfc3aa3d657eeb6e36d4da5e4f01bbcfa2f8bae7f366b3afa
SSDeep: 24:T5xzKJmN1/U6V1HnbSazIbqqTX6OU3oCrY/Gph8ceMeeT+xcRgQWfxqr/:T5xcoVPGazDqmZ3oiS08ceMeeqiW/fxS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\thumbs.dat 125.28 KB MD5: 3edf9f3162343dbbf35650c741523711
SHA1: 8b22d92a7a712eaf315ede1b8d4a58c8b9106154
SHA256: 9699243fc57c139d76660feb11df5f170c7629a1681fe23ccac3568c0c29d173
SSDeep: 3072:PUkWFZqag6SE0GGcDxAVaoKk+u9CHKYG+Q:PUkqZLg6WWfo5+usdTQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest 11.83 KB MD5: bf20430bc9f07d76fa1394a3225cdbf8
SHA1: 0e842c9a8b230e5d448177cf54c34f31ce9519d3
SHA256: a8579244aa31e48c571c09f7d416d7753a3d7e3181883612da6ab7e7c4faa727
SSDeep: 192:7pWfyIzI9i4TZmUH4CE1wq1B2drk32di7onWMThX4g1U2IBt3Lpj:7ppIf4NmUH4C1+Cs2E6nXn1U9bpj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 0.66 KB MD5: e8a3735e5af9c22ea26e30f0c1c4ada0
SHA1: c88327b46fae24904690f9b24f08f23ff5a48796
SHA256: bed3e8e387c57ac6b42a02613a159be2a9ab3edd732f784e6bdd06b49f4def83
SSDeep: 12:09rkqARlgf0RTLaNPBhGZrswC10ZMvx3UlAy949kTqFTATPCWZ0ZAc8RgrSp:2QzgMyZQZrsdoM58qFT09ZSArRUSp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: a2862f8caf13b962a6904495511c4579
SHA1: af0af98d341344fb4656aa9b5ce4483b329d9a11
SHA256: e6f7e8dc17613639f3e60e43764b6b1bcdae9c9e65dffbc0a7cfddfc8a6184e0
SSDeep: 24:TKgYycYDbntYu/WnX4SZ2NrB4YHkZ4kEm+I/gFRTMFWrpfn7TDYDrVKdF1O1:uWtZiX4SZmSbZ4vhIoFRWWrl7TDYDrVH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\zfKXNkr7GrGlHIsM.xls 27.83 KB MD5: 14aab4a39a991fbbfff8d624f16d63e7
SHA1: 85737a5994cc5a212b535eeb3df44ede262c5106
SHA256: a22108cf9ecbd43c9a6491ea020392df6726d365b8cfeb3c96fd0ab420981838
SSDeep: 384:Mar+x+/zzH9/6+0nkj9UgFi9eOWwfjYQBpYHXdjV7tExoKMAgwoRy1j2I3eXLPfz:Mal/z8+0kj7jtwf8QXYJrvKMtN+Sx5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 1.86 KB MD5: a330bd5efc2cd21e4fd38e1bb16f12c5
SHA1: f5530f661985424c607a28a053e2b0254a3a88e0
SHA256: f4088350e981d411887f691d67da12f1a4d8283f3db9f2478d8657abf9fa6e43
SSDeep: 48:VRAJOSBEDx9hLULEVG1aYMuOM7UgbmTSoSD2/xQ:VuJurLUgV0aYMuOMggbqQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 1.88 KB MD5: a15302bc3772a800a122f6466dce9ec7
SHA1: 60081a613219c969a6740357f121a908e2b8b550
SHA256: c178aff84cbd5cb7a3094315c2b744961259394294699c7262ef28625447366d
SSDeep: 48:dVMU2ksv67mKLfqoNqcxcapkjIlX5DyVNlutOWg1Qxh8X:dyU29Cm6fNUI92iJDKF1Qxh8X 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\mapisvc.inf 1.38 KB MD5: 983319f3ffb491ba7422106a1f8638cd
SHA1: 01b7c133ef26222b05df55f09fc78f387008080f
SHA256: d1dc2b368dc469915d5ab7f2b1dce2cf1086b2bba3fabfa2714036cbb11f13f1
SSDeep: 24:R72VuX5VclOl/W8SgC247iGsVVYdWm0tkxTYmigcOBufj/7AQvYOz/VsGgfz8Y:RJX5RFCmGsbvklY7g7eMQvYOjVezb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat 9.27 KB MD5: a5941d63171e013d4ee87d7d6c0090ce
SHA1: e3aa236e2d0ef6f41d72f6404b24baa9c451f425
SHA256: 9805e4c79606d83fdc0a4b6b5f1a3fe92411f4971a02fb7e7e09fb7c003715f8
SSDeep: 192:a0hedGOIO5TMK6qsJqXoeK7Y/41KFnHzj3mklvaSu5WivG3U:a0YdGO35TMK/gSoeK7C40zjxuvvGk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 1.69 KB MD5: 807250b74260207d47d4277748000a34
SHA1: 8e2f3ea8814ef8a9e7329b652fdbf73fb3812c7f
SHA256: f66e74175fbf188ceb4eed01a6397a92cacd77c6dd136335deaddf29ef46f265
SSDeep: 48:zHggZsOF3ssHrBaQ9JljD3lAaGZGmuDk/zbJ4KIG8qABRtlTp:zAaHF7s6JB3lfpg/3J4NZR7p 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 1.86 KB MD5: 695d09d8260c2efc40a3f62153e79c80
SHA1: 430be81e3de3379232350bcb7fb911615557412e
SHA256: a07e5b7e4564219164a42fef0a325339f3f091473a2f88bff2ba55fb84f7d497
SSDeep: 48:ROoeFFDP+XdQZgXaa5mC5Fm0IdQQtW5v3sIN1dUncgaw+586:e0dUwaa8oFOy5UIXdUcga9i6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\History\History.IE5\index.dat 16.28 KB MD5: a8357c9d4ac7d18763aa6b00ab4f0b81
SHA1: 1113bd7c6b6f53574040015c0a188a93e2d53517
SHA256: 567c2f73a65e46a8b15e5c69cddbd75baea86c1ad37ea99f7da1d4e9dd8a1309
SSDeep: 384:TPY559DNudI/lzwNH4o/Xtm4q6V9frP1huXbj3ezUxuEe5y:rYpDQiNENYGXPlV9fDuXbTeIpD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\2be989a0-16a1-424b-9211-51aa3bb43e5d 0.74 KB MD5: 54b3ba6fc6fa30b7e241a701221fc441
SHA1: 7a63788b39726d110482d89e27d1d95b35cfc100
SHA256: a085059202912d11a9b1793e490451771aae6a6a95cd6020cf6dc327fbcaaa5f
SSDeep: 12:EcNqEBKHiq7cwGjHhjNXAVVxpDNFt0kz9U1WwidZekqbO83WQglx9CZi8D:AEPq78rh5wrxpLU1geknRnTWi8D 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.66 KB MD5: 5922ba9b9541438e8b0cea095f2c08bd
SHA1: 120e357fdb07c80297715d695c95521b8460952f
SHA256: 3ee3ec99f9735e8351aa6c29dbb4c66134480ce9e974a7b32fd7c63be03cbb53
SSDeep: 12:11j5Ig5+ZqxeeGWOkdL0M7mlJG7VUp7mIRXpK4cE3SBuULOyGexQ4VP0sSTgy5cL:/j53nxAM2YhUbR5K4cASLrJxQY09PWC4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 10.00 MB MD5: 14fd55cb025b2f499462ca69a74b99a0
SHA1: c64b116cc135244974206656ca02b7a0065e0ca9
SHA256: a39246ef977d474c74bdd10cfe96d329bd07439e7aff4ef6bca639a66317b3e1
SSDeep: 196608:MhUHA1kPt1pYF8R6Qsrdq7zEqaZswqLhQTcvlj9/z2H7DLKH8:cUgsDYFxmEqaeqc3/iH3mH8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.74 KB MD5: d337df6395a47ac813beea7a70590f65
SHA1: 0fb9c1409ac2b866a6d53324a4b19cd0acf5fe45
SHA256: 2e2a2598cbba7c3333b0feceb1e5e08e654c712d351c161c2f83e3f4337929ad
SSDeep: 12:b0esfW3rXCDXmjLWhrwTpQDX5Leht0O0Ala9Ok0q9Og2d4d6MxnqYx:b0eBrXCyArw1wKhtGAAQzq9n2axnlx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Z4601M9xHFmAKHF8pH.wav 57.13 KB MD5: 9ac4c4b786508db140081f2dd41c0a0c
SHA1: 39bc1d0a8895b31eedf59916bb5eb0582acdc610
SHA256: b28fb3e528b9498fcf112f90f477435007a2a676ac0ff0c343c417e77eedda25
SSDeep: 1536:ZHJO54LszjeeuhtMd0sWNqtvLS2Z3QFnCTSkLlW09bGD:ZY55zje9gV1enAlW09A 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 2.00 KB MD5: 838da678a64bac80cd9d23ed7fbd5d86
SHA1: a592718c927b4592d4fca13e4031428523a64755
SHA256: c7d53d85d76fbebd23d9b3feb583f098572c484f050d1c3fe9e184d99831101d
SSDeep: 48:YluaSQXOwkh1W9Umjb3SZkYfF3mdJ0+YxDnhmEuahMgGWg:Yv41CUmjDSZlVoiTm6WJn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 0.66 KB MD5: f08f5ccb6985162ed5832b91306c62ee
SHA1: 0e1ed08e1ef0f07511db7929e85e765ff2fa541d
SHA256: 971e52308abab3d1f814c0dbf373e36c26d91d3e137ea0ff43170ca604ab5796
SSDeep: 12:Y3IT33CQAWoGzVvF6kgLj4JVzK9CN+oIpe0/NFNdYYdxT33fBF/mn:Ym3CQAtGVvF+j4/10lFNWYdp2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CZaqSsZZKSl-6c1peT.ots 27.92 KB MD5: f2d6fe4c1cd1550a3e3a5acb66a60e33
SHA1: 92b6a4b84747903ffbd3753de4a5137409d9c982
SHA256: 3b07a37709d43b364980b9174d7401f65c4e69b61c0456db179cafe7194d44fc
SSDeep: 768:BZOOIcYp1qk7GiLXlwZDD6aWulT5c5yN6TsMKB/jM:bOPcviLqZRzDiKBrM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\OuRTQD1FZ.mp3 17.64 KB MD5: 1710377ac2ed7a6f5724f9442901361b
SHA1: 02abb366014ee74a96b48c254f3c0fda40bb30eb
SHA256: 0e8829c98bdd7dc822f04e7ec74b97ac24a20f2e0da33d8950ef9ec858e92656
SSDeep: 384:ORCfJyCWW/9SjA+h3gMR21aS/2sw1XKjY0RQcx:Oof4W/9SjA++MRJS+XKk0RQ+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.74 KB MD5: d96d516e45797903c5db6eae7a2bf523
SHA1: babcad4e19bab4bf3b2b7369f4a9c98329492fe4
SHA256: fa22d52146492ab84bef1d6c61e83060b91f651bed247b87f4546d62f7300590
SSDeep: 12:gfx51kHoTNfxawu4EbRTkdKbwzsw74fFhDodEtqxguELup9j4Q/imY8bgT8sb:gp54wXwZaKbC74dxft4guELup14RmCPb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CDYXS_6alg16o.bmp 19.25 KB MD5: 1b8cba6b1905a987b7046d50de0399a0
SHA1: 3df60ff5334e50cf0cd83fa0a7bfefcb0c4c523c
SHA256: aa96359a0b78782c4d21085e8c399aa26bf9281f38744d25088a4a2b0ff0aeaa
SSDeep: 384:m+tL0cZADz0vRy/T1QHqyu/rJs8Fy5D50QkR2l/zL/JSxSn1WQF4pTe7bAqL4s:Z06ArGHqfls8Fy5d2czVR5/78Fs 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\UserCache.bin 75.94 KB MD5: 3b6ab050303665d3d080507fe05a1eb7
SHA1: ebf4f158952d9b0974ba95c7a92db35651e9d895
SHA256: 91a440feb72045a9859e138c0a6197bd74c8e658f63675a757ce70a43822ece8
SSDeep: 1536:v3bHEuuhd4X4fc/cO8LwyKeltiW+Q9qo3XgB/X/bSIo75dXxlqEs:v3bHEdn4X4fvj8WrwQdn4f/bSVqEs 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Cookies\index.dat 16.28 KB MD5: b4fd81bca40783a9a7bebba4fcf20761
SHA1: 0fc7fbf4b94d40b4b8ede4cc8b77ef11459485ec
SHA256: 363c7ba638af7779b23d96dfa7692a3568f706993af03d9129a6671fac361c79
SSDeep: 384:P8R6wb3D3n9GhPMlz2CYskgSY5pUbXz+awfiv2BGK5xep/dH4:PXw7DXcilzjYsjSY5pUbXz+awK/p/t4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 0.69 KB MD5: c34393b6b8ea2fc7d2db5dc7622ec359
SHA1: 4b1b4b8111c0cea28be8ed5678b8cd78384194c8
SHA256: 08061e00b577250123a5f1dcf9a78c95e0c30ce7352cbbb6ba01b75f5421db9f
SSDeep: 12:CWQxQHnMdSFCXTXnObB5oZAkh8xCaP/CTL+hSvRk3BP01/uXJUNz5wEpxBLK8km2:eNdtjObgZAkhgC0m+MvR01JUNzCe/Ln+ 		False
...
C:\ProgramData\Microsoft\MF\Pending.GRL 14.89 KB MD5: 2605810f1abd06551cb15524b83b9d2e
SHA1: 35295d027e210509a39fd7cbec2499f6654b52be
SHA256: 00efaed11170e21ca1070da7b1e7bf2619e9256aaf9d1848aae5d0fbeed9f368
SSDeep: 384:43vnWtL6N/nSvxoFUHSDKSWCycTp1m2cUxf3l:FtLS/nyx+UytWv2csl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D 0.78 KB MD5: b4c3cb50890677b3fa4795103ea39f1d
SHA1: 5368093ac15b2b233eeb1972e8f050a4f18e33bd
SHA256: 22be91e5fa79ef890f9ea8cac949c2f56c098cb1c3e51f786f0cdfca5a1b7132
SSDeep: 24:T5ALw1E/Fq1L/hKQg4nJIUds7usGrCMwDz:ycmQZ/4Q5hs7ICMq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.67 KB MD5: 12116c247347bf1f145dd77646f4105b
SHA1: a4164919c68241c5c840ca8e1d4a98677b2b1953
SHA256: b0bd0e87eff4ff292bffd2a063745a3edb0463549d13599bed1a5aeafd4fa8c1
SSDeep: 12:iVeJWzNDoiDuBBfFHKXVwEMVuZEOXrFVKiQk80JkrVzijdnuZ817mR2id:WesND7SLxdu9FVKc8KfpvVm/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 3.13 KB MD5: a333d332c29440679b5ba36bff3969c3
SHA1: 0268a095f251ae876a95b4232846a1895c41cea6
SHA256: a22c30f714dc3871f476a07b706b992be2f8e37d07967d11bf2329c7224a9c77
SSDeep: 48:UaomM8tA7z9pGzBVDHrsQ6P+y/c6XJn3rVUstg4x9I+eF1hFjoQhRbI5qL1c:UwSA5y/cyJ3rysthaf1AQhsqJc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx 3.99 MB MD5: 19d3201468f1ccb275e874ce20d3f2a0
SHA1: a73de4d20157a466c15398f47e020c65f2ecd1ee
SHA256: 244a7ff1084d12c7c7a5dc3c27cc050beb98acc1371d3304c34769cb93cfbcf9
SSDeep: 98304:HXEPhTZuYHIICfEEYsrwZZSch9/EFogsNkRwO+Aco:HXuY4zuGZkcX/yozk5dco 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 1.85 KB MD5: 808ee7e7189820195fd14e3b1e2a8577
SHA1: 0d21b2ba6639c0d563be2aa76a0c958317a7e27a
SHA256: 0c69b41eef8a52e72b4dd8411a23f21e849448a94879ecb8356631dc60cecfa7
SSDeep: 48:R4h6pY2hI1cw1Kfzn2LBaIDajSKxrFcMBHQkY8Gt/1ZPXN:YsYrCw1K72LBa4aDxrvBHQkY84P9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.72 KB MD5: 402e0d031a8bb2573839f93ce44a3193
SHA1: fa441f14099dbd3c0c336109b64aaa9a6dbcbcfb
SHA256: 112eca9da543fe06de07e4af6c03fa947fdbc5baf6704bee04fcfe311541ad24
SSDeep: 12:Vdz+RlOCLS+bq36MC02uQ0EWQOkln1Phn8VXqyuPxKEirwat4BqYS0CXS:VdqRlOB+bqO02R0EX7b5OX6pKEhtS0Ci 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\MVNll77OeccQ3jz2D7.m4a 53.36 KB MD5: 260c5c06a385a0a32aaab4dfbf719b94
SHA1: a9b1999feb1cca5f1e52cb685fed317fbe3133d4
SHA256: a002ee32642bad2cd05f818e79254bc18f4b4c70ade52f57cf0b3eec1ec2c273
SSDeep: 1536:u55HiOKY18yOJtlV7/8Pst5iaWGOjojevz09:Y5HiOKy8hloW5dW/jsmY9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\18DOQd.m4a 60.97 KB MD5: aa42d34497252e0faa4dcb688d66353d
SHA1: 0fe0a8e406317bdae5a6663293a28eaac18ebd50
SHA256: 1b720629b05b8212039c806bf612af1b341f2109950ecdc6880cb21508a03495
SSDeep: 1536:MsADjlCd5tMzVR8IOoS7MIbWPacy7r6N/XnYtq3fGFAwMcHLbM:AXUtMjlIYOr6N/XOqAVMc8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.99 KB MD5: c2b391a7f9291a6e9772d5ed5b25ddd7
SHA1: 90b8f7a84e5b1fe8cc0214a242e0da5863e37964
SHA256: 8b813e1ddaba71634036dd473c60e3b2e101fd8630cec4d00e168af10afa9214
SSDeep: 24:/W6WqwAd6AftO+fscNkwDML3bAzz+LEzGd81A:e6wA6AFfPXo7bAYi1A 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: 7089a60629b56a378a525b4e61eb270f
SHA1: 530bb9964d02e68e7d63177aeaf344fd75782789
SHA256: 79846876945adfb9712f8ee4c2665e76b37a43058af88c0257e17a7ff7ba2ad4
SSDeep: 24:GRvis7t08pGdbPuNKH6TJ8BM4dVeWMTYH+JMxggIjtX2kkBfIwr42:GjjpEPeKH6TJoRH+JMqheBfFr42 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\gqDMJSuso0fyIVJ6j0.doc 99.56 KB MD5: 89fff6df16f085739c92c075a456a527
SHA1: 4cdd0e92fb0fbafb624a55a012f9bdd01fd519fa
SHA256: 9d12b3e9ed7e0805081d554dc89206c1ffbf8dc0a3410464f245efdd18148131
SSDeep: 3072:2IgyvJ8x0UVyyuuXRLkaBRYfJ4JYEBH3V8wCyOoq:bs0SaERjhJYkXGryC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\WzF9a1WRQ7ycW55H.swf 38.21 KB MD5: 216e51e9b27fcbe609b82cabb0b57b38
SHA1: 78ab796fd64b6d8fa9f21cd32b39627b40ddf489
SHA256: 79131824d02c2d05005c190239d4b0cb4d15e8f67c3090a6f2523f52a3eec708
SSDeep: 768:qSxCOmn0vxNI8cHVW35w3p2ASKTY1DU2L8a0sRMhCr4QtgYivE8db9nl311lDPAH:Bo0r04p5ASKE+08avMu4sgRvt9NdC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 1.75 KB MD5: 5a97500e54d4f3ca25655e1f6cdb678d
SHA1: 6c2371a052408d3d7d85d7223cfe3b384f1436d4
SHA256: a1119a90892f1e2d728352fe5636bffa042e47f3b2c56c3018b76aa08665571c
SSDeep: 48:SxKLLlmJT+ErahHtZqeUE+W34rA/lJEUtPSy:uKLZmJTxe9t1mA/JPZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata 5.55 KB MD5: afdb0e3a6c8247c6a0410c7815954d64
SHA1: 66b527c1424ae38c2ffda01d140565d7b2157710
SHA256: 8c2b03f86ded59c0201df6fbaa07543f835ba8f1572a80b211f507e74aeed64f
SSDeep: 96:bLIHnQL3D5rxEv/jTpP9c45M3W7M6ZBlQ/WUNoLqBbICaLZtvz6yHaTkWMNcQQhT:4HQ/4njTplD4W7jwNomJa7KTf0cxQM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.72 KB MD5: b31f7064132a6ffeb86514d56bc5090f
SHA1: d59741dfb276077dd44643cbbb19dc68dc8f59b7
SHA256: f0c29ef2a571b4c5d7f0a96de82418352ec19c4692e6f942e8282a573f97498f
SSDeep: 12:HIjTiiMepgHei2iwc0tQqofEfdalsx1pSxtPvGUwEowfj8YDoQl8g/P+lrj8nsOR:HQoepgHX8t0ETxqDNwDwfhRl3P+xYuQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\U8X94Jcx67O3KtoRhc.flv 35.17 KB MD5: 5612d97686b2fec509c2d750f999689a
SHA1: f8f8971e866c1c10c55c61136dda592a0db4383b
SHA256: 9b2423cfde2d4faa6acdadc1c9e76a65ac7f99322b2f735178a2f7b21275a998
SSDeep: 768:Vs0bXmPaMe4ULADr8fi81Wq5ZdOqOS8hO6h+lBDESqrjM3H:5TVEDrhih7cqOL+DESrH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 1.86 KB MD5: ff9309093fe25bbc150877232760930a
SHA1: 8d9f908806cff5999a8349e2eb6cc7996f674c8b
SHA256: 3e8ba963d879f00b4e928a3c01b75b5f010c76da227d24e50a538d1cdc9a6956
SSDeep: 48:kTiUnhkZCQP7AWU5irXMZJL0ruJJsC1npts8i8fyydEH:n7ZCaH0KXMPPOC9c8ipydO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.cdf-ms 4.00 KB MD5: 4119c29dab45645e299b9820fb58757b
SHA1: 9499f69065d7b7e728388afaa4975f10879dfa67
SHA256: ba5560c1234efacb732542d5562e0ecd138f50057c3d767dc5a41ff6d18732ce
SSDeep: 96:8v4P3+TUU3csfO6RyxDVwwrzLKjlINkGR7V6OCaZ9a:5PuTPHRyxDGjyNnX1tM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl 1.19 KB MD5: 4093c34a694da453bf9930148d6ee5b9
SHA1: 79555a5d2e667b41babc02dfca45b57fa6b85467
SHA256: 3607e11f2af65e67b686b8aacff710eeda137d3206ca9adb6c5380513d369222
SSDeep: 24:ZItqqJsDrU62E4eIW8+MVCbIgeGOBNRBz9R4ybnq4XE71DqDZoBSNwmQ9b5GJMiR:m0qanUE4e1N99OBNRBf4AtElKKSNo9bO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat 4.78 KB MD5: 9112ec8f726783ab7efeb789e7b73860
SHA1: b2ec4b56c51c5a1c09242eb58c628aceaddcf08a
SHA256: 9b22c79c02b464f5429d7090496581afe978ca2bb4bcb1ae50676a1b61188a85
SSDeep: 96:LVwoYjBZkHeYbtdxwLdJbtBx6FztZDAukeQixzCFkVwNn7nsNPWQXDxN3:LVwPZMeY3UJbt2Kb/Wu1rQWA3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 0.74 KB MD5: 5bc6ea7f26da613bd58008a44005db57
SHA1: c6dc623f5599ec52845e051118c683d15a832a2e
SHA256: b212886d08bf2f52c0c6b1eda93bbebc8ed2fd52ee3a14ab8616d8dca7cc3c00
SSDeep: 12:0vJfhDC+CrNjT3U4M9hBNH5yrN7aJJ3qk1Gxe0wMzads6jd0JobtHX9qStI:GR01N33CDBVgZ7aJJ6k1dfMsrjd+orqT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\bYftUo.avi 17.77 KB MD5: b2bf260a80a372a2cfedcb96f9dcc851
SHA1: 9890ef44fcff20b1e87772bb94b7157326c7643e
SHA256: f97989eca1a0038c8f680859f4eedf6d5b5ea7be7c49e370ceb0337e5cae2dd0
SSDeep: 384:/0sBJxPSUJwuS/w4JwdH8282U77Dx9ivFx4ZcUfhwpm+rWY9iGkP2:/0sLxPSHo4JwdH8282U7fmjGjF6WY9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\ReaderMessages 8.28 KB MD5: f644f2e6870bf8ad2607827a18585f0c
SHA1: 9a524423f94691e6f0c58bbeffa5ee1cb5f711dd
SHA256: e96be4f0de6b3e9aaca7d69675f4f612354705e52b77b6795302adb5ac68f585
SSDeep: 192:sDMucrXyy2DMLVmXcdniypz02tnewp5SR5I45RQgRedc1udqWbo072YZ:sVi8MLTdniWzXtnARCiR/H4o07JZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 0.67 KB MD5: a096cd271e9fe0ac3bd7f78ce5f629f8
SHA1: 78db561106a5e27daf275d224f4e9efebda28d38
SHA256: 0264083f39f843e27801d97ad58934ed18fd681e59005201cf233f35792bc41e
SSDeep: 12:jzbwOCNkZY0e2GPnvmFySQjEVsYnJMoggzI7NkP7GiCE/VrN:PbDCmY0u+v2EyY+j45N 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 1.85 KB MD5: 9313fa1950514e9f3e87b0b2d981dccd
SHA1: 8924b3a2299552d90aa8d1b21922455d352de857
SHA256: 1646abb76dc46c6606474cf8d7ed43d44182567d85c4b268f57782d15a70ada1
SSDeep: 48:eBQWM0nHWk+Oj2xKGQojyHE7hJymNzkY+Qc0rCf3jK:eBQWMM5NWKGQojZlRoYjc0rcK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\aVt2QKK.m4a 7.97 KB MD5: b431975bb4ab4ca6492753c3f1763bb5
SHA1: ebef7e99a6f8541a50bc684165b2cc8bdb07ece7
SHA256: 503dbb2ba95bd8484b67d7568acdf5b7f0d0492f4e553a3e50b9a5371af2f5a2
SSDeep: 192:Vv3pAuwcsarHTt0lR1iRiAHaPx0zGz1DxkWKRc2O:VpAuwc09iYAHaPSzGZDxkWKA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.72 KB MD5: 445ac558779294de09fbb846a8286365
SHA1: dab95f0da65be2b48c3fe90fbf9c8ea697d308ed
SHA256: 189ae9a7e8edff7db68ac4c44d66a22ad7c3e2a3601679b9ce15c92442f9c552
SSDeep: 12:63pqHrX0XsJoT0ZvyCDQQ4wKH7r8EjJd9OLzCffrBop0p6jBU4ZlL:Epqj6sVr6H3bZ2I1m0Yi4v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 1.89 KB MD5: 9dcf657b1eaa1064316930ac2eb72146
SHA1: a628d828e390cfa173e6ee6a1b324a8e49e6cf54
SHA256: a8289f20c015ad9a6733a94b2928ef1d3187f3bbcd9eb9d25869f0ce5a537002
SSDeep: 24:EDbmZE3NnpLMrpudsqhi/V5DorF7edtV3g8XiEzwt7G9MqvRNyjg63D8WWY62t4S:EDyZeVSpuYIVH8XkobST8WhaYeRDzu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.38 KB MD5: 4a6a61c4956e6004009b352213c995c9
SHA1: 8ac8889e9de6cf25638d955eea13f9b5f75b81de
SHA256: 8f12536cb2e64eb8ea9b99135bdf287a9fdaa7a408c4fdd1286b4e212081ce16
SSDeep: 12288:EueZAzHpC2KeaXm0K4KlFmR0pj+e/jZXy9sq8lsNkV+B2mSfQ:Eue+zpLKecK5LmOpjF/9iWK0TfQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\CkBB8.pdf 68.66 KB MD5: 064802d5d6b2099a1552f2567145d390
SHA1: 2c89bb24a7b648bba33f7fde07f21524dde73a99
SHA256: 111dbb1c4ee54cef310a79a5eca254ee0cd366a4b7c8a570b8607dcb22d32ff1
SSDeep: 1536:hJvOY1D3NCEkfKSO/dtdWAl55UU5Zh4A/dTjs0G3/Ll81iTUAglRYFfEWhn:hJvOY/VkSSO/dtdWA/v34A1TjY3TlK12 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\SWD_mb4GOmI0MBilDv.mp3 48.58 KB MD5: da40925564c2906b347aadc3a7adf3f5
SHA1: 605991151709520e173a6817475bb144b07f9f8c
SHA256: 1a0a6960ae5eddb665fd85293795eef0a8a61b601f1bd285d7235b2f29aa8811
SSDeep: 1536:kakIadeSlT7cr7WPX+BtyMGbwzr9gkY4t5oFBp+5/zO24BJR:k7pesoWv+vzxzTY4LoFBpY/MBJR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\SharedDataEvents 5.28 KB MD5: 0c005e81bfb98df094e7147086d30e1b
SHA1: 4a12c0adf185b96d31719490b57032567449b5bf
SHA256: 98a265562b6741687ab0260e946add9b23667a452ba01f31dcd0296ae1366371
SSDeep: 96:tTx3DsIEqU9nlqf0/u5ZExFIKXb7bAzEmxVtv1lVNQmXBPw/20+F5vZLLhwXtQFe:jsCalqk+ZDabn6ptzXiOhFr+9QHoD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms 6.78 KB MD5: a238148dabef19cd3e60da40eb03c5fc
SHA1: e5ce4ba4228fefdb9a45e5fa27bf00dbf0ca0c3b
SHA256: 61488e2e64c25c06c5014860648e2097a0b02c951a9319e9cf3b4a53c0ae0133
SSDeep: 192:m0DDWEwDAs44Ekv2ayNvml+mcigcQp9jzwlQE:JCvcs4Z9jvm+BNjSl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ax clB78Xbyk.jpg 14.94 KB MD5: 74283866b3f481095b0f913669ebf8af
SHA1: 4020b48958b55f4673ec84ecb9354414c945c506
SHA256: ad5e80b69a96f67c99527b2e2257e1a27f6966ca46d7d26f89d86c48a51dfb05
SSDeep: 384:WOcRsR7CkITNw8RiOcebxF1eDKUDYqR1eCrh1S9:W1yR7CTNwy91F1chXUCV1S9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 0.66 KB MD5: fe6efcf318a0924f09d5b645c92d1b17
SHA1: f048768c351f90782062ae6218f952cdc7168408
SHA256: 3c884400959621f0b932613acc80dea698816d7acb8be0aadfc9d76edcdbbe00
SSDeep: 12:jDKtjVTIkVZRPrnbi8oESnubvcTaA/rc1lS9VVjERgugBKraF5zmKxXwIVmEpv7L:jDMjOGW9NTaA41IRgg3GarzmKxXwIpf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\yTYdL-hI.mp3 92.89 KB MD5: 5b169a4509b0e63553dc82e9b2c86052
SHA1: 8fc0dfb0d1049f307ac848aeecee3d03cac07212
SHA256: 610187681dd11ff552b9b07db42c9eb13832b6c4d1bff6cf564d81ab7c1c7af6
SSDeep: 1536:kbJn0bPt7uNHsHnLu6yYwVlkxYDx3xMFgastwFp1v3Gfk67VBNPhcEpyz1K0NJr9:kln0p72sHnLVaYxQx3xOW+l3GvBxoI+v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9 0.74 KB MD5: c80c26057a989a24d9349cf7c5ecde63
SHA1: a9978ae5602b3a8f3707800eca0659236ff94e81
SHA256: 723fdc2d20e3feeec704f8b3b0533ce164d21bb9e931104a80dbd3b51d853756
SSDeep: 12:bDjE5HM+IMUaI/aNvX5Y7o41U0PtlSRmdqbXkydq+SDe4uJmJucvryYLgy:olfvOokDNdeETDtxzR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.77 KB MD5: 5ef59cb9264572db1dc6edcfd2637f91
SHA1: d267f040a61d2b4f86f84e3545a66ce9b3a04c11
SHA256: 898ae1480bec097be292dea4d2b66ce49f2e39cb47f5b845016472362c765ae9
SSDeep: 768:EsWJpf2wbP2EIjGoXeiYM2nh5ZuiotCjySIYaMgPEM3T13CATSEjMP5aVe2DNkv7:Ep4wbP2qoXIM2nh5nCKySIygrtTSDgsZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\GDIPFONTCACHEV1.DAT 106.55 KB MD5: e5a25eed4ba2895899447b5b7c9858da
SHA1: c67146d26b5410f8439e39d3c41c1172b8f7aca1
SHA256: 37707051483c1c3b8510dfd543c7fbd9b53fe97327b2830e323a0c5873eb6809
SSDeep: 3072:OabSKebsEA+4YDidHFJyP+4+S4uQzEB+3Z9muRq:FrXpYedHFEZM9t9muo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D 0.56 KB MD5: 58f9c37bb4ddf8b508df77c131f0a38e
SHA1: 86df8be741a52b6986e09579aeab7eb78fa090fb
SHA256: 5f8ee6ff87d849bba9ef10f23c8223e7a93669f6dd55cb113548cfc96aff1f83
SSDeep: 12:MV7UY7qRN1Vml0gige/c+Is8eavdvPXLW1Zhij6CDt9ZY:M1UwqRrMmTJgvPXLW1uGwt0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\rV1JKxq4yqd23vT2.flv 33.56 KB MD5: 68de06509ad20de893db4033fa3c9575
SHA1: e38d45bbb754b42d50996802ff29e0b1a4d7ecbd
SHA256: 4b0227bf306dfea613af5400a3aaf67430661bcb0c324c494184917eb17e686f
SSDeep: 768:imW/csB9babn2FqDcPrxAJ2TOiVE1z6Yphne5j:VqrB9encxC2RVgzrf2j 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.67 KB MD5: 5d228cf84ee617d925d2fab530f7c53b
SHA1: c2470fffc3c3059a1638cee6c9374d0852ac78ae
SHA256: b27d9f231ff07faf6eeab28fcd1954629f908ddc97d86f724cfeb9a4a6e6ac41
SSDeep: 12:aX2F3RTt8XrgafqVqimEXUHJrhGGZGuIUqEcZU4y2qvkKcmYIp5TprOkxHzVwgAE:akhTiXs2Iqm4cIGuI/pqvkKcHIxY6zqY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D 0.49 KB MD5: e4f09a5430b3731bc0ff7241a8af78e1
SHA1: d94aac7f9a4cbff6504436632d9cde45f06214d3
SHA256: 4908198a3d107ee37956401ed7ee96947b8c52bc93998d512dad08ec29f9f924
SSDeep: 12:ERI+7R/BBP98HIMo4tdbdFiVU+Bpo982j5WXAJ:oI+7R/BBAIn4HbY9po98mWAJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 2.00 KB MD5: 85eb8550d16c0129e19e5832f40db505
SHA1: c01177d48fcab61d5c03c17a6cfdbcce713474b1
SHA256: 5d89eaa45cfc18cf33fc090b4f3b4b8b3ce8dfb59b57d5f9affb296947476985
SSDeep: 48:7HB1knERh0yqqzXZtDYtRDTV454XIBlpin:7H3Se6qzXZtKRqEI5in 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\SSiM.doc 72.41 KB MD5: 326d468a63e524af2bf42c8a3fba648d
SHA1: 741b687ddd5bd3f4c63811c3cae3f3f8fffed253
SHA256: e2f53560856d925df1ccf9b28ec0be8833e6ec2999a336def8439aae6a42516a
SSDeep: 1536:jewiJekEtXf8wrNP/Zz8Jo0WI0Al02EC6abaGB8ugE5iUFPLezklw:jewiJJEVhXZzR5Im2EPXG9iePLezsw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.49 KB MD5: 2f2dc4ca5130f448cb163676fda549d2
SHA1: 7202d58cb6b2307f50ae0ec95d20b3efd66a75ca
SHA256: d576d023550594e5ffa4b51466a8e08c60a3e1cbcc65875bcc1ade6af3b47d5a
SSDeep: 12:Yi03EMjfvhII9h8o8TEcjYhLksH3XgEU3gkwdq:ZwZ37v9ksH3wEU3g/dq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.28 KB MD5: 4665a8b1a93e5555006ca136cc137fba
SHA1: 6b143f3c4e11408513c41ca082b1d8b60f797323
SHA256: bd57ae7b4374df9875e96169617750003b129339a18a0fad4e41b2da337d4d60
SSDeep: 3072:tE9G7fxKs3686Sor7CMhJROe9KTXB3gITXXED8XIIZkyQQ4tbf3G9MWC:trIs36IoKM5ETX9X0AYVQGbf3O8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 0.69 KB MD5: bedb5e5e22f6e69254f6a99bfdb8363a
SHA1: 7e024c90841960fdd0d437fd9719e97fdcdedcf7
SHA256: 37da54f6ab0008c799056ae28ed4db03007f3f11929bc8fcc16566c8af2b3dcf
SSDeep: 12:qZ6BXrPPRPe2RC9e+LkHKf7MdEkszwx037t/41+ax+l8To9GbVuiw:cOXrhPek8+Kf7MdE/ziMZ/4jHVuiw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 0.66 KB MD5: 9a4eb0ab46debba505e51dcc8be3fe47
SHA1: a9201ded5aed8076bc5bb2ec9ed475f5afe7a960
SHA256: b2cdb4aca7b884d2997486bcd76da79217562de1e261f4deb2270702d770a62f
SSDeep: 12:DrKkscFAdu7Jg3DysPx3KiNaqnn7hRHly1vqDS69aY2Weu2W7Rx0u8AR9FekkbiZ:DpjFAduW3DvVKdqn7hRFy1vqmb/qGAR3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\10_All_Music.wpl 1.31 KB MD5: d3cf5f2ad3db74be5c49f0b6892480e5
SHA1: a746ee657c58e84feaa8271e8399c4a7012f373f
SHA256: 9c11ef5f511eb4efece3bfe76510a9ba65773b496b50934a819b322c7e9eafd1
SSDeep: 24:sOOFBJJ0afTWxJoqTR4cmXD6OHHK3DXkB2LU8P50BE0dXHd9QYTcpd8U8:4B0afTiUuDK2LH0Bldq6cT98 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.xml 2.69 KB MD5: 03a02430d5854b27abf8063976a2b1f7
SHA1: 48cb04037bcbd491aedd5c3cf22b83f85d995084
SHA256: 0e7d0b83f51f29cba4fde7d557e05f8278a034475f12d0f19c4430f519c6639d
SSDeep: 48:isg8LKIVtXKeHAIDJ9nDIvUXjWtY/gY8YBB+M6E8x3iWdG6EvCIQ7eHpybio3+3:RlKCXLAuzDBytYTv+8PT9qp7gybi4m 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\YK6LXiAwXNgyBQ.jpg 77.53 KB MD5: 7241d262b39f3b6626fb3804693b6575
SHA1: 00bde31ce46b3dfc83e73bbc33a181df3b428d76
SHA256: be5480d845ca1457dec7c9b65566bb202e6648f42df59d721c9e7642aa1b00fb
SSDeep: 1536:izh6Y27MA7Yv5uG9dwSYiNDtHESdfSdIhyff3zVrZpbSJQ5uvFsbu9:Kz2RYxJAfi1hEiyxrDSMuvFt9 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp 10.00 MB MD5: 51be009b838fb714992b6f1c6b2f6fd1
SHA1: 3d46fe4c1ac03bfc83eb47439b9a77f1dd54d7d2
SHA256: aa0e24411d6138ba4b5b5cd4008fd97a8250e7b225dab3e0597c47aea0df6971
SSDeep: 196608:BHPUrtLxYWBgvDXadSLsS8nQsiAESOsYnwZrja9segf:dGtL24gvsItAqpnevIu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wscRGB.icc 64.94 KB MD5: 8b1827401fd90445eaecc86101ee9373
SHA1: bfb772a5f5d759f110d33f7f5bbab4785da95469
SHA256: a76660eee052d9bc6c549077ceb4ae9859c9fff8a7b2051ff487122ca3670d1c
SSDeep: 1536:Nl3WWh3d4Zce8dmB/jz5JvvEPX3qg+C76Y8mNxtc7lAlTc3BAd:/3WWh3Be8d4/jzHwqEBRxa7lAlTD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MS Project\14\1033\Global.MPT 381.78 KB MD5: ae28e0cecbcb861092513607e8fc37cf
SHA1: 4e1e0278a1631e95a63011ff0ca2fc98476c24b6
SHA256: 00f109a010bf5ad7569e3d0af40d8c29acf45716ada2ff7486d2fc51ea19e9e8
SSDeep: 6144:hNDrpakuJ7wFvjtqqYb9zz0B5oM61U8oFIzDwrErPe07N+y6Nu9fCAf847emtgjT:hhlakuJ7hqK0BPrrFIzD6EjrNz4u9fCj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Templates\Normal.dotm 20.42 KB MD5: 0e6ba76829ff6c878ee45f2f588d07ed
SHA1: 044b970b68f892243cfb9d3fc97bc02239ba6e57
SHA256: 03dbee13c58c8bb316bb33e88614ba7ac898d130b3f982f587ab05587aee3f53
SSDeep: 384:TgS9EAfxJFLg3tzuE+FVW8j8wSJqUqRSZwhdONJUqYdMPXKb1GtsWHqC2EcBFfNN:TdfC9u5FVW8j8wUxWIaqXKb1GfHqC2Eu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.bak 12.19 KB MD5: b4f474cecedb7e633022cdbecf85d502
SHA1: 6b0d9a99a8b10b2bf71694d8171d0bf822f5f423
SHA256: bb8ab798a780b1dac7ab0ff297dd194f7a5079dca17a503dfdab560730fd0d11
SSDeep: 384:I1uhpLiMrSZD3zm3EsMpH/TyLW7ctVcrOgm:teMrS1jCEBpHLye0Ee 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Li4nwNY52.swf 66.91 KB MD5: c6a9bdaf4b921260b94e801a94f5ad07
SHA1: 94bf3f831ea5e12dca053f00374355b067f75999
SHA256: ed1a024ff17adeb660b31615e3def256c9289f601dbd8445e0fa0b12fe5cc668
SSDeep: 1536:5z/KpGG193n2YvwaabonNQ2ezwqwIl+H4czt:kR1932KwiNacqZl+jt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.72 KB MD5: 95d8f1b34f283094d3b8ddca5454b5bf
SHA1: 2c9dab02c3239155b89c9122f8e847e3550d8d6d
SHA256: 2a3003a757d1917cce858154602fcb103628b01b47aab01ca308b0aa37c84d20
SSDeep: 12:6TicJXb2+bi+71CKx1dGZIypcryo9ubAVWOUBCKCkzRAxueHSoivwJvMgIHkcsrw:0++7/x1dNypc+o0O0tzou6iO16sJQ0y3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: b7e17f5fe6ba062e9d6fb24126ffce96
SHA1: 11f91f8b743889610a013fa4899b674f258ce7b0
SHA256: 1b5dab9ce60d6c29fce80214026675f42ba19ed842929298d63f67cea874726a
SSDeep: 48:/aPKZgO9GFwq/z8Bh/OTRTOLBG/aooTX8F8jjY2B8V+:fgSbaTRraoog6XO+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\CREDHIST 0.44 KB MD5: a849fd8d261388d4898c9c757469c94e
SHA1: 75bd70811a274d7100ab8e2b780cca2b4aec303d
SHA256: f9b2321ee47f265babdd7f7027cd2accef0993221ebe997e5fc13a9ce995735b
SSDeep: 12:iVvoUr6vKw/Ix3wUlm9YNogrTTlySjFp/9xsVjqSfiS:io/gANS5rESRpPsD3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 1.85 KB MD5: cddfb094ab668d59c57afafab854b00d
SHA1: 733cb5276c1c677416e464dd83dd3d4d4434e428
SHA256: 86e9e2b8059a049a7afd1bbaf9b6e05d88ad028432d2fb29b1a8908e2b5576b7
SSDeep: 48:XSRH1LOpUfMcNWf3fppVBTE8umEatQ0/TFAPfXhc:21aUMcuhn1E8uXbSBavhc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.66 KB MD5: 397feebd9c957afcb4d35a4ec843c141
SHA1: 9531b21ee22a4755769afdadbb57d22725689efd
SHA256: a2e8eeab37902019e74722c8932dbde1b5f3d36bea492b9723bc6673bdd8cf8b
SSDeep: 12:9GryL6HM76EhzPLNdJLXm08Mn7ouItTpu+Q9f+dJ5l5XwPTNu0lwlHMzPT0Ei:9GryL6HSl5HXmenZ9U3vXwPxuGaMv1i 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.sig 0.41 KB MD5: cfc3a9a4189b7e6d26397913de83e1d0
SHA1: ae149a343969829a02200c96323f59fdfac833ba
SHA256: 1c86608c248de2367ca34bb755888260296ce8772f3f50b2d858c7db91facdbf
SSDeep: 6:OFRc+X8u1T2KZvdIN6C1UX7uaJ64+83K1xUMLeMIutYGV75r1a9c8/Lk/UM+mU1h:OFq+su02qiSaJ6S3K4YeMIiYq1adVxJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\MSO1033.acl 37.16 KB MD5: 98db7e15484e1bf98ad826a2a71d0020
SHA1: a361222c36fbddad0b0af50e14136e58e64d102e
SHA256: 1bfe5ef4917a0eb44e0e0c6cb5944af33873a1eaf87a082d0d487ae3360a5b13
SSDeep: 768:FHvP97QqB/Pd+dF2zRqfoDT1Q/19lEBgCxQ00FBIT2BU:FXpQ6yF2zUXNHCxXqvK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\1H9BMgq2T-FhDKMZ.bmp 67.63 KB MD5: e4af0aae33ad68222cfa8cd07a263d71
SHA1: 716a30e37ed64e6512f52e271fd34a5c88500cb5
SHA256: 39f821cde6f295eb1bb438e8efea0017227605f87af0588508c5d0ccba373b83
SSDeep: 1536:qGXOIjyoHZwTR4lCa6e6gE8dGfrTzRkG1w48O:t+yyaZ2m4b8dGfnzCG1/P 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\qsVWzMjLHCh.mp4 36.38 KB MD5: 4cc294635281c6f2370f59949e935b7d
SHA1: 727c93f23002d55d3ae342c2bfc090a06d050d9d
SHA256: ae812d48ecbd00b3830fcff7df5397f76f40e6d7964479b54ba9cd98de1c2b7a
SSDeep: 768:YcthOcLpfVOHJKs21hiPZatHAeU2FBhDKSv3eapJgb:rIcLZVOHJKTbiPMHRdToS7q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 1.69 KB MD5: 1d9717337f21790f7e0ed72e500f212c
SHA1: e355df92d05b0c99eac7c1f96a6e95aaf26b0dba
SHA256: 80e7607ca0a1773601df8b8da6ee75972b6a54bd239965a05d2a67c0621c305d
SSDeep: 48:n/cxDQAZsLpJgOj48TRvcJCDcq/BI+oB6d:sDypJgm4xJAL/BkB6d 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\AdobeARM.log 0.97 KB MD5: f9d5bfa9a75a7803cbd4ab6a3400114d
SHA1: cd6027fa491fc29390e67bd91e1e019f98a3fb19
SHA256: d51f33348c9a2350f3c6bc8615d0e52fd31a5943cad99fa0be1a87ed341d3811
SSDeep: 24:+madetJVz++2fK7RjJC0t97I2BdY5VbuEeIUatXRNzmKue:+BdcJM+2fmRFCI902BWnbKIxRcXe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: d5b279fdc1bea964842771ff5d734d94
SHA1: 25eb5d6a5ed75e7698219252cc78d3f3b9f53f81
SHA256: c882936ac5e32fb6822926b9a4568b7d8dcb6874adeff60e6f25cfac33266b10
SSDeep: 24:sGMxVKO1G2QZgw/6CQt3FcZqjfwBgt+ty8cvfdrF:sGM/Hs/6VFFcZqcE+tDcvJF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.99 KB MD5: 6eb4a18d0fd9d4b16684e9c1a1f5d80d
SHA1: 8a10a1c74f4ac81bef46501cdd6abb631d0faa11
SHA256: e2224569d085d4ebdf14b1d9015c6740fe9a073dfce9a8981862503f200c09d2
SSDeep: 24:yhadK90Wc9F4loCGi7K/xsM5eOJtNA55K+HT2T1M4:+Hc9uafZ5e00M+HiB5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.66 KB MD5: 5f44c1cdcb8b2e4108ce1f9a34676a7a
SHA1: 1775c2355270eea746facc453668e4d8b1e9a53f
SHA256: 84d803600c20282e09cbc4484a3e24e9149e26dbab5d54b242af64f0176d98d3
SSDeep: 12:6tMeM+DTDSHwv2Q0kz1w2via0rCvA1DCpqAI4j11CsFXpvC:6tMeMzHk2bk+2vinrgA1rAZRdXtC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 0.75 KB MD5: 774a7de5b45fc90a1db9eea99fffb2b6
SHA1: 68a12594458f5ccec33bedfbe3843ce50a43546b
SHA256: 94a7f3ddbc1f99d753e72e1972cadc6b4ce0d8c32f65367a7d02a563b046eb2c
SSDeep: 24:02PPoYyoFIGLi/FaZQzW/cXQvKqDsaZR6:02PPoZWQ5QvKqD1O 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms 28.28 KB MD5: d9d9be9dfdaa8c4c0e52c3ae70272aa4
SHA1: c626e606c5c389f556856804aee85f4d2bb3119b
SHA256: 5a00b47875c99ada5762f1ff3161ea24700f87a4cbb9466071d1194d3190bd24
SSDeep: 768:fPqQc8tnVX8v/VW5MBZgYFzk1KDxEDUATegOKECD9ifSl9kPt2pIzI+V:w0VMv/VW5MBZJu6xaUATbEiX92 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds Cache\index.dat 32.28 KB MD5: b9691efee852f5ba5650e6c8a702c801
SHA1: a01278d387a620c1a46fc3ff54da3e455fb1a17c
SHA256: 86452b5ff80377e1a1962adbdae9d05b49af4f53129afe2ad31f384cb2a7fa32
SSDeep: 768:Xl5uv8XNCTYDlNTwdIA9dOcSPE7MbQV2CPb7h0WXTXZcaaqYa:X3u0X+YDXwdP47E7Mbuz7Hr2ajYa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb 68.38 KB MD5: 1acba2ed17a6cfc2fe964ce550b2f7c6
SHA1: acab500f29d012d902ef46769dcaf2ecb5ba1aea
SHA256: c887b69f29765aeecc00a798bf1e583241b606963912864895d8d28a69e4f434
SSDeep: 1536:pR6L92zvy9J7Gwqy5bVmKtWUgGwwv/xW+mE6f+Tg1uc:KBIOxCVKwUfwKZW+mE4uc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 0.66 KB MD5: 746dbe6683b8dd7849b2f56cf272e521
SHA1: 997df104716a3a5a0a8b2367a5afe907afef4d26
SHA256: 91dc684435469f95f0a24e134fe002187fd0c49f002bea8d57cd601e9cf4d2e9
SSDeep: 12:G41Ub55e+bJKl4EU4fGtiaVf8LK2cKAlPjgZ42IDaccK//7UIJm4Y6vwrrPxMHz9:G4qb55euJbJPI+tNgZ42gFcmYIJm4Ysr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 52.99 KB MD5: d99e6e9a3aab0b7f3616a2d5dceae0d7
SHA1: 47a355186cebaca0a63e2dfb38992ae41013196f
SHA256: b2c7f6a75cbe1f95a3d39298e74c91d9ce74c3c955540a91bc3b8d1eaf1d24c7
SSDeep: 1536:fhJm/et8pqVlsH/MlVJFyMIOdJIP0G1Qe:fhKetRV2klDIQJyOe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 1.10 KB MD5: e30f6cfe8f16863ebc4b5ab789af70fa
SHA1: 32938225d9301978b789547bab28f2ea5363d321
SHA256: 914c311a79f9c0fbfad0cae9fb6231d48918450036f92161fd7866ec0d22f826
SSDeep: 24:jBYfTjKIPwoQQkvcvmPP2dIw1H+NrUDQZvied8dkS1bhPuj+:yT+8wXQkv6sc/1eY2vitGS19Pc+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D 0.60 KB MD5: 3284ce9f41a415e274d1b951391c757a
SHA1: a698d53008b020704efc46ea729761c07a5581e4
SHA256: 1132cd4f74f6c0815a48eb7d609f15380a88a37a0d177337ef71d854080bf691
SSDeep: 12:DQvtwWwDKfwVig3xwDOGPxvkkBWiyN7lxRUPn71yx9xy+d:svuWwDK4waGPciKG5uo6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Ll3fHZPw.flv 22.11 KB MD5: 33ceb7e2df8e1f04a519a5fde8b2bcfa
SHA1: 8d877968918657ebf4364dc0044fab693c982e78
SHA256: 069b6716336f7d755ba0a2f1385dfb42f4bd68e68d96ecf35231fb28c97d1cd9
SSDeep: 384:i69k8lVY4eERtwGbXcmfHBC0RiqnlBjPCtzDAfVCGb6tIT2N0l/uPXlNPLpy:Djx79HvXPCDAfVbMXltI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 0b761f0533437e12c8acc3f594d51847
SHA1: daaabd293a224c799b8e99ae41670d38c81905eb
SHA256: 41f21af31718e563fd0142f0b554d9049c3790475a15129d1e644540c14e9bf0
SSDeep: 24:5keMXXckK+Faat8n4ZCGQQEI1FCmzVebqYjZynIIbo0FpXA9phbJInfe:aHckKoW4ZUQ5JebzkbAZ+e 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 0.67 KB MD5: 52d622767c8bbc2a0ef7f7b137c979c9
SHA1: 33be4a240d7df103ee2dbad9324d819b2c8f7469
SHA256: bd65b8ec7bba8c65bebc649c440811ca6ffd858878b7ae83cdb212df5a472a48
SSDeep: 12:9OoLc5jXCL52YBJsYkmIv5WAhyRvdMw1aSEYUOjTQw1mONNs581eUcHZG2mnVsd:Av5rCL5FBJXkmeo5dMw4SEYUjcS55UcB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\gtjOTF7.mp3 34.72 KB MD5: 9a37967e6ff0595c10c38fc5f602ede8
SHA1: 2bf78a9fadef2ce44bebf6eca1148fef103c6411
SHA256: dc690832f58d2eed7702ae9f375025b4ed375bef147f6dbca46991db3279d524
SSDeep: 768:Qxy9V9eStVc81B+XS1Sur/yvAzoJWmQJFMz1VUPn2A5kCtZsG:QIeAVcE8i1S6ZmwFMzDARm0sG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.66 KB MD5: 5526c307274fa351d3c36bf910ec3b9d
SHA1: c9f22b8cb5945fa6a47ba38d62248da33f725504
SHA256: 9f3549125adbec28cae17b2bc29ed8b2457fd5bc8b5defde7887546085fe488f
SSDeep: 12:hZgM0bWIdanpTinBO+VrUvX4vL/3Hj5lrj70HFDUrDIyVQ67BOJprQ9BL7/7+8Ux:hOM0KSQinM+VQAvLLfolwQyC67n7LcEW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\-33_sohOSKdSItpB.wav 25.56 KB MD5: f5cbaeb2bb04e0bb5dcecadbd64b991b
SHA1: 61294f15ed6c320681f206698cf7e1f98e94e543
SHA256: a68839cda6f691b0c7d3f3b5f1677f8c0450ad06e4b9ce36bdb28519aad86970
SSDeep: 384:+dTVEle1EedDbUMnJ7+REVJfEUbDSj1k7vD7ru/VrVb52c9x7HA2Uuy8Qy:eTyJQZnJ7+qlSZk7vLu/hVbV7gcr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 1.75 KB MD5: 3da042a3ce10c4e53850874b2b04c658
SHA1: fca2fc638a16147e6cd28cd5eb9c9b8f794be14c
SHA256: a181d740d9e61bc87e3029ff3dd9a24760bdfecb6a0f5d1f5bfbe89ce6fa0e3d
SSDeep: 48:hi8zzvos6UKADNTx7iqqII5arCNPikEIDXCwBzCM:htj2AxFtq35ae1ik7XJCM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: 2b683a258605fe137c5575ab1b12caa1
SHA1: 08dd9a944d046c8534266c1717ca44bad50ea5ad
SHA256: dc9fd0aaed3be71e5fd187de711f31c42f7c207da930c8e5ec0e71b157c049b1
SSDeep: 6:J/RDoognoSgeQmtC/fWMNmL9MjQwx58dSCymv/WqEm2l3IG8CsRK:xRDe7CDmL9kT5wh5KBz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\nH-My1UdhBR2sa7.jpg 2.61 KB MD5: 0181d3f53036e7f77e048f3b3b8634c6
SHA1: 06c8cbf76bc1bc47ccdce39f71785bcbacd6ca4b
SHA256: d162e7605f7104130b0fafcd533552a1c8f473f92add9685fc08f0dd218d86e2
SSDeep: 48:v19/nMybYHMQOBeyzLNOrUisWcUeTUgGsOL/x3gEjzc6Lxf4fFeeNERnF4hu0k:t9veMagqsvTcsOLhDE6o5ynFf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ANdFG5xeFt.m4a 75.31 KB MD5: 98cf26a1ac2d3944b8acf3d276622939
SHA1: 4346008d687ab42766342969342aa7c17e027d37
SHA256: 471897ce7042ed9e43a27af9cef1408e19ac04aff4305903aeea9952cbb2cc21
SSDeep: 1536:bkPniR5b48sKzQdDoe+xLvLaPIwgfhPmoulYnCIPQCWLT+6tcSjar:ZR5bhace+xLjaPIw+H+jI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\12_All_Video.wpl 1.33 KB MD5: e1fcd30d864df876399cda3fe8970231
SHA1: b93c9551cd2c6cf3c2967817f617fe45204b2b16
SHA256: 444ca3ee864fdd2fdbc11713059d3199b10e93a841d829e2aa08ce2d3a77d891
SSDeep: 24:YQzdSFwfHtdM4rS20Cz/mzFXiFDGBLrnMwATUA587bu8v:YQzQFw77t03XSDGNrnM5TPynu8v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\LuCgxYJnKOKRXF1ApvsC.pdf 97.25 KB MD5: 70b6e0686b0bd93500a20dd841be0cb3
SHA1: cd4cab157c9666e81b7c598b8b88374c5fc75f08
SHA256: 9412f622c158191a0e456e7508fffd560dbb8a26047a49a1544e1759130f6753
SSDeep: 1536:9lAYFjEnTX+c9XKR/HIwmjbK16joLyionyuxw4hBoQzgvK1jfV/2LQzxAnE:1O7XKRibKgMGrnyXdKttOkAE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\zJDtMsVUIYHc_Fl.mp4 32.08 KB MD5: 1ee25fba5452a14a545105cf4fa5579e
SHA1: f31b96319131a91683d8c029cf209343abe53701
SHA256: 5fbfbfe8e2a5766589077474faf1636f6b813ee8b05840c64149745c4f14b2ed
SSDeep: 768:QIfsf+B0rU8EtYgHjSK6b8NTBtBaAnPlKl:i+x83gDSK6baBDaAnPY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.72 KB MD5: 35f05772dfca342c050a78ce434f36ea
SHA1: d05170baab4e5d608615ebed5f51a55ea9637ab5
SHA256: 222071ab10ef06b5ef3451e44cb1d128933ac935bf9ff27b2fe71c3d3ba17f5b
SSDeep: 12:8fJuefaWMtm31IbqcsmLMUgnCTCLWPq9xkv0IfU/LobbceDzyPOfmdU//vvGk:8xh3yqrmLMo6WPIxkv0I8LoseDzyHk/1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\p18Nw6XNaucgdkQ.flv 92.63 KB MD5: 547bd75bfc2532575cad5e2c5e14b7d3
SHA1: 824fa5c3dc5a0d56c06c74e01b48fd0e91473331
SHA256: 37b15bfc0e244ec6769b60ab71f27d7d9c744cdad31cd964b9d343cd961e4801
SSDeep: 1536:3pObRb5lWj6JD1/2T1m/StRuR5QfG0Mwjvq+r319WgqpOFcXKbeJ3i:Zmdla6JDew/StcR+Tjvp3iZEexi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\fJ2brPA.pps 98.81 KB MD5: 05e579fcd001e528a6dca1eef3bc6002
SHA1: a8103038773c5781a6fafe5a62783253c35edda2
SHA256: 7b640c333381941cef5d37a031d68600e8efb56c293add6350dde6e3890d8e81
SSDeep: 1536:rrm+jDTOf3CgAIrhsDY5DNOSekItS1Hl8CDr7ff7hD/tCuURBtg8NYcWig:rzjDzgTb5WkD1HjLf7hDFCuBu/g 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 0.67 KB MD5: f8f23bbb9db0d78a25a4f83470b0234c
SHA1: 437e8c2c9106b3927c84db2a815cfc9ba316641e
SHA256: 523aab955d99322f232141b3c48adec28516f128fbd35cd17fec9e45d67e131b
SSDeep: 12:mzKzsQE22ROg20rx3xWXcmyTqiAhpA68s7I8SQzKJdc5vR9D6Vp9Dp6sqPwSOwT:mzzQC/RE7NjzA6aOvnmRp6sqPdOwT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 1.69 KB MD5: d1c784638e9364d844cd5be7301b6a38
SHA1: a2fd5f4fdb5f69c4c8d3bf7776ed316bfca36236
SHA256: 31bbcda77727af607b925ca5110c51d702b1f5153a3ff2b790a147ed543b965d
SSDeep: 48:QxS7zSxTw7dhH5dDQ1ZOvlXnmekAWm0Yb:YS7zSxTw7rH5Zz9X7WpYb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 0.67 KB MD5: f6c7c5a928dfa2567ca01a52b005236b
SHA1: c2825876687833483ee4c10058ae5e3c009a4c7e
SHA256: 1816ee47d7892b64821e1f632e208c1b416d419f7e32362cfc7cf68964313009
SSDeep: 12:MkkHBDggLeiN9lulZUnnhWz5cnjqPbh4f4DUc/Zx4kgimvkpsf:WzN9IKnhWz5c4bQc/PVFo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml 0.44 KB MD5: ca01907526b2ff3dfc95d327e3e51e18
SHA1: 7ff67c4dd0702a5fb891e5ed5d15bdc8471c20d2
SHA256: 7fe283a2689a08d49ca24504ab16743829cec3f0b31340de39dc155f4502e9cd
SSDeep: 12:fdMGGh5DyF70+VWAClNFsxDcQ2p+4eHhE:f/kFyu+4ASFsxDcZ4RhE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeSysFnt10.lst 135.49 KB MD5: 30c6a09a873c7715f248563f2114488f
SHA1: fbc7b497bc83a11eac85ef2309bab4f41ef44259
SHA256: a875a75e29ec48acf52aac11fe8d566f383c08b2b38a955c83221d6349a08b63
SSDeep: 3072:OVVBYVPa8W58M3nKR1lOoGtCqpQBfbloOQLp6Gs8ZNRA+QFLJP068JE9OJ:UbWHW5J6R1lOoGtQbqOQLp6GsG5QtuNV 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 0.67 KB MD5: db7f6f2f37370beb7c3093fe346dbfe8
SHA1: 03a30eb04bce9cab529d61bc5c1d368e2383a976
SHA256: 9ccd424eb13192488de135a243f90a6478f2dfd64d0a32fafd6a50ea0a9451ba
SSDeep: 12:PjoJ5MBCQ9myjez5h9wrTsS2SdpGuauY4OlgJpa19nRS4kCYX4t3mBTTrbQLOC:Pjovutar9wxpGDuYeJE9fY4tmTjQLOC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 4.05 KB MD5: 9609393481b7748dbd077f6d40b97c33
SHA1: d6c4a6729e50def4ea77124f2c66282403165aa2
SHA256: b6cb7ffcbffec8db1fc3738e93919131d649c6e821de4f9065edc61ee0b7a422
SSDeep: 96:7JPD3jSq7v+K8+BCtO1Q27gp1tTc5+A1Bwd7uM4teSs4Nn5k:7J3Sz4BCtO1FgrtOK7/aI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.36 KB MD5: 6c3403fa0751a1e56af7b806ebca38cb
SHA1: afc946a1c8807ed4371a2264a4f4aaee2a8c737b
SHA256: b7ba1addec14da5957bd60eb4f6c55635440d6d8f9d4f4e4ded302c0106aa910
SSDeep: 6:M+jCmxe298TVvUjlvJs3UFSiCThLRAxn4xSktT/bFkkXd7pgjrIVigY4W/IMyxH:MNmws5Js3UFSiqLRqn6S0qkJpg3IVigv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: 38ce2f7cc69212d4c7f23bed69bb55c2
SHA1: e3e59d7ceded906e2ea3fe3bfca399f9bfd06aaa
SHA256: ff39d9114145c66ce821b79d937005a575267df5db3b5ba004d507a45179ab25
SSDeep: 24:swAlJZlEDyIzSH1lyTihDQJu+eSmIfa2JWB8rWkzlkTw:swAvsWxxKfa2RyQkTw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat 32.28 KB MD5: b61dba6729b0917d9705d9076c54adb7
SHA1: 732f3fa927abbb260fa229a3754c40cb5fcf5d1d
SHA256: 2bdf69a01dc1c9ae7c72c3a525d4ff318ae12595e631f8bbbb72d3091437581e
SSDeep: 768:r0q/Fdn2EwZY9aFUZPtmqfZamB14mUmAlTigMd0:r0CLw+9aWccZamBuHmkTigMS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: 4a331d7cf152b4e846b70d869a7cf9ec
SHA1: 2d7fd027b0d3b872c97fc5dd3fcc677e170d0a1f
SHA256: 098ead5be206b7eb4339a927b6b568138d420b2826037569fad89951cb2b30a7
SSDeep: 24:ZQIfhX/EN6ykpjE4DFU0Y/PJOjA1YYi6/624NChA63eJV6qSVgeaq6:Z3fhnPyAtYPe0YY/aOy6qKaq6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\11_All_Pictures.wpl 0.85 KB MD5: 302cad45ed6bbe3832e976c04c84f904
SHA1: 6cf2ab4c7b22a737d46420b8f52f4cd0b1118474
SHA256: 82f625c1f1fc8c177639ceb8bbbe53efb506aae833963d546d39940ef5d71088
SSDeep: 24:jUMOnqOmx56WQUFiDwT+XbwKAcfmWPfo8WG+rr:jCqHADwubwKAceWYD5rr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\Cache\AcroFnt10.lst 52.22 KB MD5: 8f11f9760c6c068e77189f83cd41613e
SHA1: cd4ff31676608ff0a61d756aa99f27ea01ff649f
SHA256: b61d5cf48f7d9188d23a767b3ed9c04974d24d19e46790cdac703bb36e10cdd7
SSDeep: 1536:225G8l0c+/xz6/c3BjeNnU8UM2dWo13zgPrzd:fGy0cq6sEnZUvWodzo 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp 10.00 MB MD5: 9cf6b3ef4676c75efedfc6029af027dc
SHA1: 316eb087e211e86aa4ccd32004c42ff4fbe93411
SHA256: 0d361ba62fa66e7358bc9d0d198539b11354b9e4182f6a330005cffa54f3708f
SSDeep: 196608:3Bs6jwlxQvRo7ulQwf+Qo4iT6YqQitS7+KgxUzGVw9vV+Ud5CP46ZjNK:3C6jwmo7u+w/xdBISxUzGVw7+YMggK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\RV q366ndMhU 0.jpg 9.41 KB MD5: 247a9ddb95c059187d6059c48472fa5d
SHA1: bb9b7cf218b9ecb273baf6c0e1ebf879672a1a4f
SHA256: 8b0bd2d2aae15f4a6512c797091172326a0626003dfd21fe063344d0e195833b
SSDeep: 192:QwvAGUhGaT97WEdA6z2VR2j81n3cJd9H87T8pR/V2/0fS9/X:QOAGUJDdAk2XyI6H87+R/LS9/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\12_All_Video.wpl 1.33 KB MD5: 8f3bcb35e32e9b282857dab5c27c2402
SHA1: a34c9429827d46f87d8b166d0c69e047db8a5dae
SHA256: e95b8e3d02b69a0484f5c053f2318e328c05887b511af8b0d0cd19deb182fca6
SSDeep: 24:mx8fRwJ0iik6034ZInNuCXo5NdY//SNub65Pz1LmIgVerrcYF:mx2E0BkJoSDo5NCXSMkBLgcn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 1.75 KB MD5: 518f19847abfe44d9197c0bf8735620a
SHA1: 677d4034a3301f3f4edaab2fcdbcb62b37810257
SHA256: 276990ea9c56ff06600995f9f9f8695be9665080d88e3deae7081436d609442b
SSDeep: 48:+Yb+r7+miWDFSL8A75G8iYaWhs2f6JBY63Cbs8Ag:Zo7+mi9ziYaWu467Y6T8Ag 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 0.67 KB MD5: 3d2c4b8311f420036b583fe333374a74
SHA1: 40ca737c62395a6065f0ba3780a1499934c4cac3
SHA256: 1f8e469a3542a4903216dab1e2210e3a51f68524bd1605a7725443ed7942f89e
SSDeep: 12:ZjzJdw/ytg2tajDF7RK4yRWqbF6P5hEoS1HPri8ALMa9HAK9AFaYMjdDmzgQ:dzJNtanFt7ybsPPEoShPr7ALMaZAHFae 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: c4a972b8c00dac76264bba59eef54221
SHA1: 3548bfa7ab713afeac238098c7ee3da216c24a8f
SHA256: efe780f7ffdba71b14be93326cff4e6102c1d0531abba1cc04a4c91348a7eb1f
SSDeep: 96:GcJpKl0HO/tw2gkLFTkcDapeU3I2xkjmFIa6DdKd5B1QskqUwy:3OS2PBocDapeUY0BPDtnUwy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\Recent\index.dat 0.33 KB MD5: f4922719c374a453ed7c98cbe4210322
SHA1: f534095b2e246984032d8d3710765ab9d877d8f6
SHA256: e034581f2c040d9219c9a8813678d7ef3d34ba69885a1ba2734601dbfa8b441a
SSDeep: 6:AMydPNotxh4ZAxNb9acylLH4MtmhMSXU6zcE40WIPUx4J0V+L4Tw6sZLp7YZECxI:Aa6+xk6smLXU6zrKIcx4JQ84TeLpIrho 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.72 KB MD5: a815378d9c5eceac0e7923fb85250a02
SHA1: f0b0a8218a7d7588f67b5603cbbd56d9a26f1f2e
SHA256: f4b8999c2a3b29319e6624facebaf42d8563f90aecb0ee831f07042c4f607167
SSDeep: 12:nRzqf8wafgEUlGYqZgFCvkX65XDNOip0BRS3+XhAomiO0iNflQNwks57DpKC3h1B:RzqUwKU4vbROi8k3+XysdsNQNDgDpKwB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.77 KB MD5: 5175470cfdd58709930eb90cd1ebcfba
SHA1: 7ec41adf5469d46adb4909ba22b51bff9119ef07
SHA256: 955feed9c0f1a2a51df2545ea43aaa3ce0c1ee2800dc2c2551f7ea4d1790b094
SSDeep: 12:z89tSsgl+QTh66WG1K7Zt2gQ7Q3BT1PH3XjjrRQalL4KdzS1g+FlhacwgABK4Dxz:z87SsglQpUKdOgTtHHj/RNpxdzSLcVDL 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.xml 2.25 KB MD5: 010bb418e23baddf0ceb0a4afec8e8bf
SHA1: f95a03a68bc58bc53e7e0fbf9165a6958e830060
SHA256: a65922097bc04144f53858d196dee58378a23fd778e537547f27fde7efca96a3
SSDeep: 48:vn+3J2Nvel5H1noIn+V3zJhIpyBPNW4IkA90XHPKG2PZaRJRg+1E:eJ2Je/x6JhEyBPEvx0CpYk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 1.86 KB MD5: 6582783d7d6fcb731ab374d6ab0ec087
SHA1: b1ff794f9f3f5248f4a90d5f5b6bc5a010677801
SHA256: d1ce3fe7f2f7f0f5ab57cf4d33cf7ea0bd395cdb51aadb35aa7232ddeedeb91b
SSDeep: 48:OveNMCp2SkgMomt2k95WJX7yr8UT+rWoeIOdSE1Dn60:OcMCYTZKXS8UT+rII1Ec0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 0.67 KB MD5: f0bcac3a4cc2645d9943086f16becc9a
SHA1: 9a4dde5fd5caf1262afe3c6e33749912919978cf
SHA256: 87204c58beb629ba47cefe225868b6005a34973b54f388c29a30ce1d1dff88cc
SSDeep: 12:b+vGUb5WcQSmvh5D8gRBd4r1n1Xrzrsm6NfF5o/OD32gGxl1ZLAkbl:b+OA5dY5D8ev4r1N6N7wONsH6Q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\10_All_Music.wpl 1.31 KB MD5: 56384e7a7058a06ac9e79cc5e8efdb1f
SHA1: 0414baa4e73729437611e56a0a51e3c121fb0623
SHA256: 4283e6b0c3bb1c3ed3f8b65c19a9ba36a6ef6b23877f4d48672f88b5a3d0251e
SSDeep: 24:iRIIMXfxBTzcSl+/gexQPW1bQZiKHWzJUjxKL/SFYaEQFPX5nrGB0FFIzjy8VIy4:0pMXnCRQu1hKH6J/L/SFYaEWX5aB03wQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.67 KB MD5: 1acf61416d9006a2276957cb68985d48
SHA1: ff01464e4933c7bbb92b5edcab2a24ceeb0b493d
SHA256: f238c7b647c6dac366ed2d873f2ccf36f7e67325bd4e9105193b357bed822d4a
SSDeep: 12:NYo8J1B/MWgH8RVZgNYo+WS+cISU2MeDAsVQyeUu62n4OE5LUQmd:Nz8/B/MNwV2CF+cT7h00Qy1gnA5qd 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\09_Music_played_the_most.wpl 1.28 KB MD5: 01526e43887c187ba64b45e072b4fb94
SHA1: b6e7f878f31e969fb625a67196b30a5d560ec77c
SHA256: 80b2f504846792e0b0da7d50e2b0e8ca602d7e5b92e1e8edac53e5ab3ccd11df
SSDeep: 24:nEM/Qazq9zmKFmNS/aN7CyG9oByX7fLD1Xor87z1IU4p15YWdeE75XKrzDwdY:Vzo7mNGaBCd9oBWH+izYpMMeE7545 		False
...
C:\ProgramData\Microsoft\MF\Active.GRL 14.89 KB MD5: 4043575d268fb0c2267524e972009c69
SHA1: 9212ac49746bccd9e005d6fc683275b849dd5a74
SHA256: 7341dcb8a241e8e683ca7045dd1e7aebda074397382307786d882df75b88e102
SSDeep: 384:0zPw/JoYIOqxfDvcf1RbHflzC1OgZf5zH3yX3IlLEq66k:0z4JhqfYNRBoOgpNHZ+LX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.74 KB MD5: 0f303e75427334c4535b195df2de6161
SHA1: c2a48d6de2f949ea2c8b716dd6cd210aadfd3d26
SHA256: 9b4dfaee0f3647dc44ea1db35ed99734a7b37b8252f1cb44643c01837b097ed4
SSDeep: 12:+gAIk2qU6XW2A5hRb9ocrcEzEz+7ZOKA8eb2Nppqc03Dn8:pAIk2eWhRbNXwGuVube3D8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: f6c19b88764d6f2bd719f0d55f49c13a
SHA1: e6f428b154435eb534ddb29885d343cc3dcfd742
SHA256: 63a2c2a2f05c4dd3e4e1d1724f46ed4fc6af3bc883dcce607bde45f063349574
SSDeep: 24:N5sBe3whZGHyBrRrfOBFGNKZP5efYdax7L64THIdr0NiKSxFra8Kw/FFJS1ZzAYm:N5sB/GHyBrcFGEPvO7L64TomNhWV//h/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\7j36yIw_9ZvavwaDmh.jpg 86.52 KB MD5: b1e157a450e653ef4cf6d026750dbf4e
SHA1: 86213d16eaab09e75ab9f44f282d281f3f6e4287
SHA256: 900115b6be4cb1dfb663ed15bd281f46e426a69cd3ac2119dde33819bb7f4f58
SSDeep: 1536:NzqpGDCGxCgTckwnHVWKLBFOnT7ymNUnhA7hmFqHwLxgURLhRYZ:FqpGDLuVWWB++mKhAFkQwLKU5hRK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 0.52 KB MD5: 9e94be159359d675c0cc7cc5818f3660
SHA1: aeea5db4aa04e6f8dd271d16dc5cc2e3035352cd
SHA256: f89e780881493d52872d77e165d390b2d087de06a11934a29c4cbd1e50646d10
SSDeep: 12:YLv+56H8K4aZsWd3fgLnjG9HsEFKXTrsbuveM:Yiocx8fgT4hFKTeM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: 7bac74d6b41c028edbf315c7c4ecae67
SHA1: 7ae039fc2c07fa64b8240665335f8c94d45f6ad6
SHA256: 4e17934d77b2a014b71583428216cee6f7cb62af84f9524bf67e8a8607ccdab1
SSDeep: 768:G0D56/Z2KIph4SlOLCWHdVB/wYGxoNdLcps5xeBZ6GT:Y/Z2NhfuZiYBPcpsre7VT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.78 KB MD5: 67eddd2e751a669388d37d75ec024557
SHA1: e60930df726c0e295b511c7c7d44cbda14b0f209
SHA256: 0f11167d21845371c6bcd1d7a1314b371fff34c4c259d9e8f5b06615d249e42e
SSDeep: 24576:Jx9T5z7Ly6eujVLOn/BBqoFTSTajyrJcn9ES:XhY6zQpB1WqKJA9ES 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\GV-wRmRhU.wav 75.53 KB MD5: d47c221ff8f52d5336f65dcfb0f322c6
SHA1: 3f3cc5851b99a65ba9c56cf66c39f3b86b9fd0cf
SHA256: 27feb38dc798dcb966ba5b47bff670eb9131b68038895a1fae02ae8ba3ff41b7
SSDeep: 1536:FqE1Ac+Ed7+l1/QbCSwG/1KAWrgZXCYkckWRknm8DMo3/Dxg:wEB+3l1/fo2EXCYcWRkn/5/O 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 1.66 KB MD5: 7186b859ec8c88be57474b066a33776c
SHA1: 0d6cff317c38ef75821e0e750d5cdaf4034e4cdc
SHA256: 3537d8c08f0e6e7b8ebb27b5a45d223f20607b77e1e70ff5e77f307a9fa08ec8
SSDeep: 24:mgZ0+csBkZTk/t3v2zXEsUVqazYnT9yqH7yVVc7PMl/V7sZT/QKs5YFCkYFDVkn1:Y+TBkqV3v3DV7Enyc7UBuNs5uCv16 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 0.67 KB MD5: 7858221559bbd52cae39b5fb06c252a5
SHA1: 607ac4fef862cb0c0e62ab1c8b45c4fe4529e38e
SHA256: 720c1c6085b08e7c508dd82cccaacbe2b2d0c1355e2375ecbbac94cbdf7b4977
SSDeep: 12:f6e1zZWOfB9En7Ce9cZQw1KwZXNRw7yzLATNcUnbvy2wSna9Y5cmQ:fdOOZ0znw17ZXk7Tnbvy3ccmQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 2.00 KB MD5: cdd47b622426cc259c3c68ce7a227616
SHA1: 69a09ee3efd5b418cd66aadb2b62dc8a742a7614
SHA256: 458c3fce4a1d63266af73c9fb15ba2a3c46d98ce08fa715e11d7657c7ec0208f
SSDeep: 48:kp/60BO6z7aWE4h/gmJfCwbH3YbnhUJc8WF+9aFyrefrWessY51jJp0MdD70re:uOC7aSh/XVCeHGN8I+gF+e6essY51jJn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeCMapFnt10.lst 34.56 KB MD5: 0f0c9cb4c20c0e544be56e5d313c6d30
SHA1: add9d77911468248b876161e972665e2434edbce
SHA256: 624bddb0449f93cc26c232a51e2840a81918269ca9614eb0518c5e9629780460
SSDeep: 768:06BVIKN/dYvEmBT8UPqQSCenrd7GyLjiOykBs7XiEuB/:0cVIKN/PmBIUPwVGyLIXWB/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.71 KB MD5: b990d95c86a784961e0055d81421953d
SHA1: 8d10d2699bcfb7a5324e858a201f71564a8a89cd
SHA256: 49b89369448fbc5aa64861930be124300aad86417faa1eb1863c59282490f0a0
SSDeep: 12:k86fbWEablyG/xGCkxgcKolqc97zmAM1ehhZxRaZj4Ney/pp9Qo9qssuxFb1:mbWPblVozxlKo0c1CHU/xRaZj4NemZ9b 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\z6aeKDo.avi 25.27 KB MD5: 4490faa8681360109bf2d4ef85b06362
SHA1: 8d415c6e343b2165a8d4fe8a657ff449b970df84
SHA256: 2f3674ef811e369dd7d3d2bbeb218f0ff2f2a43094e236faec41768a625a412b
SSDeep: 768:Abl8xEHWJMIWpZtMAizE0VzyedkDII9f8mR6:AbGGsMIWX+AifVztdkDlEmR6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: 50448466a646b8f1188fcc00ffe7f231
SHA1: 77f862e16c0c6c36a877f5e0e5186225ab540cb0
SHA256: 8889adaf16a3a79ee4ce4b9552c605daad5ad98b1dfc7529ac8df415a5b7daae
SSDeep: 96:QbWIaQntNE86yxxgl04NnE7aAL5NTVS4Y9HhoV5bmNZt7E:QdaQblxglRnEPLSduVStQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\19Kgww8LCX.gif 19.11 KB MD5: 3f630ac97137ef68b2122d4b09f72c59
SHA1: b5ca3135f1049878775e4471e672b9244293d9d6
SHA256: ee94e9a444dbe7f6cd24f5cfd8b1693a4cf7e57355f8249685b0de656353a621
SSDeep: 384:Ujzek+oQUGLyaHo9rtv3KpawlpCFdJX4gHmBv3G7GyJICf:UjunyGoNtv3gaw7CJX4TAvf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT 16.28 KB MD5: 5385699341f7a67605a2136edbb0e6c8
SHA1: 32bd2ceface436fd07de7d23bfc4ffcdbfa8498c
SHA256: 9bc2a0545b9fe6969c506e50374bf84550a1047d811247e34ec272a404aba7eb
SSDeep: 384:qFkjmkBAUHLZCZHokjRqYsmMe3QoxzaKnjpLWM+dpb6lAU7oRV:qF0hnH1C1lq/mMeJzaKnjE/dp2l6RV 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD 1.06 KB MD5: 69c2af937d69b17b8d5183b285a0296f
SHA1: f7a1cb4e52a00b3aed48face07c62025dbace457
SHA256: 4d348cd13b5da32d1345ca80ff5efa4ea4213b2f2aa39f84e51f2988f92cd1b3
SSDeep: 24:Pt22b80tdm9qft4HNHCAEkgJvllCsDUYtxDq7/qU2e6icptYDk2XsLtEFB:17rZft4ABfRXOJ2GcnYDk2XMk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\wPLG.wav 43.72 KB MD5: b73f510541b6009956ddd412831dc1b7
SHA1: 6a232d39361dad55e0c4613f670db608cafca3ba
SHA256: 4ecfdcfddd8789111cf309f3d82f568d6fae300da319e7986d85c45573d48a91
SSDeep: 768:YKFyzTb4J2mQefGV7kuNVrp7ekopC0s5/DvdniNXfi3dMRi7OVG4u5sE3iUjbS3P:XJ2gfGpkMVd7eDC0s5LdiN0ywNsEa1Zz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\0e15476d-d8fe-46ca-8099-ebdcf80f637c 0.74 KB MD5: 00b75bcd06b99064becb3d1d8960fefc
SHA1: 1cf7b5b317d10509018d9b2a22f7331d02e6fd5d
SHA256: 16b6e2b4f06da989111f5d987272536e55c9a6c8885671ce6bf0b0c266e45e06
SSDeep: 12:Zw3b1DwyrfjIOztlHrbIeLhIM0IvAGoIE7w12uQ31WSH4Fan4zP14lGI8I2bs9Wv:Z2i4f9ztlHrsaIM0IIjIE7w12uCWt4l+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 0.67 KB MD5: 9419217dd03634cf1c13c74a5a728853
SHA1: e288f22b33f67dc937fa2806d7a08dd4d0a296dc
SHA256: 7ef9e6e3546b0f75ecdc2287e399202d46c0da26fa6a2f0ccd5fbf33ce8b27fc
SSDeep: 12:v4unviQdJw5ugZpeBdsnlxCqS8c6YVzMEJfL6ugbqHS63AVB3B6:v4b5cBd4fHSSYVzMRNbqy63AvB6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.69 KB MD5: 5ad88be81d52f195f4fb5cf04538b12a
SHA1: 72c918bdbbe580460d97ac4501936974792f7c40
SHA256: 30a9b6efcf5440ddfd66c5e46c895e55e26db3bf267e01f85a08ceb9815859ed
SSDeep: 12:5tA5948bPTDxQr0waL3rvzNW8zjmp8h+kih9m7LLGWrZRJnzF6TPUIyT/:Hl4PGsXmp8YHX+tETPUI+/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms 28.28 KB MD5: f9bf6e66b15519a335a9806e96046a4c
SHA1: e55a2ced632f1468feed1e331da325c13bdc712f
SHA256: 3f49904b25d92ddf3f35b04d8f4e181ed157ee5b36356497c7d9658109772efb
SSDeep: 768:V9HsK2m0kP6OZHnEpLqDJpiSKktcwWL+TWCOXna:3HsKn4O5aWDSktc5hCJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.72 KB MD5: 5f3be718e8c95b5ea0a47a8e22a308c6
SHA1: a8d6febf7560e3f4efc236e07af5fc1b02e399c1
SHA256: 1f4c0127999b9f74d66017ecdb1ed80207d5a55017045cfa66bab1751f760ec0
SSDeep: 12:wAWMsHGVCvgRSJjYuz5IfsDICAosLlngIR8ZKMhLO6S9PvKqV66IETlJ9:fTsHBjZzQwICAoWgKMhLJS5vfBIo9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 1.63 KB MD5: 0722b0d8202fa321e6f011ef232df70e
SHA1: 44246f67b50c8f35bdc468fa7bd7cd768c022c16
SHA256: 1eff8102b3b1fa1149daf45dac32ba2bc6a20af80b8a4a951c51bc140b50c7d2
SSDeep: 48:ue8eGFxBVNC5/1wSCi1v/7ULBu0zz0BwB:uxZFxZMNwzisBu0H0BwB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.srs 2.78 KB MD5: 84fdda528e7616f5c281cb617c743c2c
SHA1: c6e0acd0863bfd9e34f55f5df6d8cf81c5b51d28
SHA256: 87a0687f31dee8f6470af052b2073d4018cf3a8d6a8d619125fbe6e4015c73a2
SSDeep: 48:2h7WzThTX1or6BfoihPnWh9jXPYBVOwuZvKvJz0WuRxartFLnMMTK+0W8CAYhyUc:2hyx7Sryf5WrPYXOwuyNur2txxT6WlA5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 0.67 KB MD5: 95fd63636b9fa63819e0966d77b8e06f
SHA1: 96a16b10aa1fb742becd1e9dd63cf339fd2a08c0
SHA256: 943dcfbbce934fe240394d1dfbce6d567cad5d120f7ce6acfc8138e6cbc3c2ca
SSDeep: 12:C7FAHsfH3Tk8AJwRGf9wdHkWOTsPpxZcDKv/Wh2H5j7x5H4nP:iAgH3TkgGf6HkkXZcsA2dn4P 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 0.78 KB MD5: 341fdc91ab8f1da78d14db32c5f34bbe
SHA1: 546caa8dab40cf8dbe9753f3fa0deee793e94fd3
SHA256: 60f564f4e955f3abf52858aa49a6a32d6d55aec8e507e8953e620d00262c39cf
SSDeep: 12:t4O3B+pi97mRIVv1Eby42fgrjULDQm4X8zLRwP3Z4NjbMwb1qJmfMDSf1shyT5u+:DIK7dM2fFAmapPp4NjQJmfrAyT4fzp8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 0.66 KB MD5: 1a5ff10f97b099f9c0b1ca83a63a13bc
SHA1: ae52d88b2265db4ffc1e9fdd60facdf068c643be
SHA256: 8f49d1102854390d8a8eca6a9ef7249d475ccf636b891e78ca62423c8834d267
SSDeep: 12:dOrVX3/QwnkzW+ZHrXVE4DNgBNiFzsCKGjJR1SINfhq3q0UZzkMCp3t:dOrVnkWQXZWGdsCt151oq0AzhCp3t 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.74 KB MD5: 834d854f1dbd6449d0ee2ef5073bdcec
SHA1: d26fcc7b34eafad37a9e8a2d484a89deaac87319
SHA256: bf0ca6a3ea5382ee2a6f72421cf6d92e1aa5bb1394330c4046e395b808e436e9
SSDeep: 12:c+fARdZaz6IiB+7DphHW4bkUTAID8mIQfMJYdLCq94IkCH7Ap3DBR5S893U2+88o:c+fAszbic7DphH/kKAIg9cMwLB4Ho+D7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 1.63 KB MD5: d4146a7a9d6efd4ae1d1aa4b154c89b4
SHA1: 423ac314130cd1a97bd0534e52dad70e2ddeb4fa
SHA256: bdc4bc69ad153ec7252c8a1e9b61e2f125f60be4804ee81f584b8fba6d9b6b44
SSDeep: 24:slt3pZBc5cI0qe5WKpGDuh6+0/BgY1W8v543gM8uA6MfbLkeIhOfBcwyh9eianWO:slt545Iqe4s+OYcM4Qlr6+lt4i1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms 14.46 KB MD5: 602a458bfa3b3053c6764092e33dac9e
SHA1: 4d6c2e2f4795a19750657b69ca68909bb8f36966
SHA256: cb290a4a8f24c7901456054c86de5402aa9cc46b72dafec7f4fe8750d745e21a
SSDeep: 384:dHCivtrqpQsr4SC7/QzjG6x4vtJRmhO8DdeiamZ7GSalmq94yMF49F9c04k:BBtrqJ4J/Qm6x4vtJUhO8ZVZSByy0SF1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\11_All_Pictures.wpl 0.85 KB MD5: d2244d47db2d2ae0452af0b2feeb2597
SHA1: 99a0b1624df126c0452bdddb76257f390af81091
SHA256: 62bed9df11f679ffbb6d9c2a21fcd50282c91a6d3fe8a3b5c9e97b1eecbd9822
SSDeep: 24:juT6zwElPbJY0KiKPhEckXtdEhm2iUKwyLQZjQ+TLt:KT6zXljJY2mhEzdIzQQpFt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\0511c6e3-7aa0-430c-ba92-892236e955e5 0.74 KB MD5: e1c3b6b9f98c89814e3f5326ee5eadbb
SHA1: f5a3aefe45dab2e5dd01374032a4f86b078e8ebe
SHA256: c46be18bb0c09be789f195a75127525a2b893527567c0ac99886586b87a91f6c
SSDeep: 12:tSHRKkzIQIOQImxOfcjlwXfaDo3fC+b9D3rhVgESWA+G1acWrHjF7tcYDcIk3yo7:tyxkQIOdbQMBCIbhVGMWaTHjF7tVDcI+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 2.00 KB MD5: b9f19dbd990e73e6183b71979c798bb2
SHA1: d7a32e1dd4e9de01eec2fe7624311ec590779a4d
SHA256: db848c5762a4d9d844518baa810b3bb21818e0f90c7b47b8352d458cec169de5
SSDeep: 48:GHcopR1uI3wFlvoGzS0K9occUBZZAH7qcSPgHiik/nG1gx+aR2eu:GzFmFlNzT+occ8bAH7dS8+CgR2eu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\02540a10-7eb7-4b20-a8c7-470f8986389c 0.74 KB MD5: 4498fb3d315a19d01800972a3c8e62c3
SHA1: 92cdbe902316fd1c4f9588fa2fd3fbdac1dd8cc5
SHA256: a133ef79b4bdad86511ad72546b235b433533a5ca50d32bf002fadd2e755df9c
SSDeep: 12:QdLw0SU9huqLQJznzsuIPt0asexgvL5WzReEnFGh7xpgBunPSItp7JcvWAwzjCVc:CE0SUJLAAuIaavX7e+NQIvDwXC2n 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ehP-Bfiv5vGeOQfFEnG4.mp4 81.02 KB MD5: 168524825777085ae317c2c1443619d3
SHA1: 8acb8678e97a631d205538b75c2195a71aa1467c
SHA256: ffe5b884f24a8ac0901c9e86ff1108613215c6bdd3c94e97e29c0e797289be4c
SSDeep: 1536:23pGqv6IwIOfu+BiRnQkOEA1yjFMVgMoPoAFRRM6B86xKfFZa:2pv6IwIQmAEeCFABoPHFI6B86x7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: 1f271e42ec78d5316e5899d5114ac8fb
SHA1: 0ffd2c24b2f0bfcd0879bd10b11f26ec891d0bc4
SHA256: 37e978c61e7be3e37186a7b9d234623201e8df0850eb63df43b61904433459a1
SSDeep: 24:aVxrzbR4LYneg5Dw7VZY/FLohQYWFFi2U+JqP7xr:aVneODR/+l2M2Q71 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: 453edbf6ab418f11315d726171252ba9
SHA1: 45727709f0b9fd248d2d5e16ac3a44c472d35b31
SHA256: 42179cdcc6efe3ba0d289a12ce64e8e0b9cd0e3728c2c77947118ddaad2bdbef
SSDeep: 24:MtY0hfMTq2DMnnK/jSn/0d5u3xYEDEP5KmvWm/NCi0XHe2S:zT+2DqnMujYGEP5KmvhlCdet 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl 37.10 KB MD5: faa5d4ebde33948cb17681e9a1828c68
SHA1: 0e4ffefdbbc7cad9edfb4c3abfec3d6635de9465
SHA256: 81da3a3d5aedc8e4c1c036627da5380ff574aaf193d252474f5d40cf267d134d
SSDeep: 768:oz+hmbtV09HWrtaxfzJqXUV9J1MoSEfIK0YLtgd8AZM:MUmb3nrGAEHLMFEghYLtOM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Q3klePDr_a7JNGL.gif 32.36 KB MD5: 6650a1e395985b08bf152e7cf8a5e02c
SHA1: 858186ccdd9241783bdff03195d3293c971a6cd7
SHA256: 88781bfbecb0deaa6a7e37138e85cfe810f3de3507d94e9fbeed77c585f9f88d
SSDeep: 768:M8xIC3Rw9UMt9vaaaouxsaOs9zo5RPNh0PbEGJPRhhIMZTfxa0dG8rdc:Mf9UMt9CguxZ59zeRPr0jrPRhhIMFfxA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat 3.78 KB MD5: dee5eb8006b5a59447d404395649c64d
SHA1: 2523218e430fd2ee2b24c7008e392dcd056fdcc2
SHA256: 41c2ccf5ca2a67c861ffb34df8f7bb8fc9a9cff56b5452af7c09ba073da73b9e
SSDeep: 96:qAQHTjCkjj2vU+2Or2EeHuGepLYt7VIeDop:qnfjwUMyEeHSUt7a2op 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp 246.28 KB MD5: 345e038bc0eee53e4febf0669a86379b
SHA1: 42b737f468294817a475193a0a942820d8a7f8b0
SHA256: 8a1340d217982befb842812427d8d51b7dcc12c8597f00c29f3ba158ed98c654
SSDeep: 6144:OAnmY+J1dJ1LmBbKJUCRHjRfpM296Ee87dcoqpdW9Fo6mot:4vNLKqUCRHjBiLEe0qjYFo6mc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.66 KB MD5: 5c7839d99b774d4814ea567bc8095290
SHA1: 80cd6283d5f1869b50d14ab1d35b1f436b8c9a28
SHA256: 96dccb4d745b5aad3028a4a6767ea527e04d1e89257e75cef1bec3201d8828ee
SSDeep: 12:EKYKb+LN/cG6lETiWE6R5WldFllfqhjl8OQWU3uu0Llx49nq0KW/Sn:EKYt+G6lM/1cN3CluWUh0Llx4tan 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\IconCache.db 1.15 MB MD5: ec9376c5cb8ca63f49da8a88212a9d41
SHA1: c65a83908761831f4588f7c7b2dd719d13801871
SHA256: 8b6652eaba778a0115f7a129a12fa5bb0290f40900431296c01a694455f3babf
SSDeep: 24576:b+V7xfY3UKEnrIyFfEwDhQi3qr9tkOzTneu35wSmtgb+ZeYREE:Sc38rzFflNQLr9txHZefabUEE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\SYNCHIST 0.35 KB MD5: 4b88b5a7971a658b936cbddf20040687
SHA1: 47617df95c0cdac9ae84df00792dd691831b4b63
SHA256: e547500c5036ea4acef717eeed09b9b11404e629f2b8aaa3964559f52fc6295d
SSDeep: 6:aXDPrPZBe7a7gC70MYD5wiqKUBVsiGv7Cdwkf2rkXt1Su4r4pqqN63OGJl:i3u7Ux0IiijsH2OW4eWV+63OGj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 0.81 KB MD5: ce1fd9a1b4f8ad5be90d1f3762cce7d0
SHA1: 2d370471b9841681fc7f130f6220cb5448c1b192
SHA256: 04e2873d5139e4a6eb453417253ab8c432cb2c6c1f0fe6e212d534b4fe940ece
SSDeep: 24:+xiQAtAZliuPcF2lPZhTZPBTs+xen+7tGvA:+0PuZIv0PZFZPBRb7td 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 0.66 KB MD5: ba41c09f3fa3a90e7d83b35d1365980b
SHA1: f71e700f57cf05fd856fb8f71af1624ed68e6ab0
SHA256: 8390fed575e406999687d89f89bde9775523a739289835b1d9715a7ad70b0464
SSDeep: 12:A+4w/JitWOMjmw0sxRHEaykCGZU5eZ+ekMr1gvA+aUtC9n:X4w/Ji13yi3n8UEZRkMobC9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 0.97 KB MD5: 2a7ba5eec7fc309780d9ef0b88afe77f
SHA1: 0ac199acf82f97b89bab50d2d41ae1166ae04840
SHA256: a20b5de5fd360d032897ca2cfdc766a9c6e5df0f7965a1e4876ef1242b60839c
SSDeep: 24:DhAK5RaGD9fNplloHfU6PECMxrTJl8nn81/mZ:DhAK5XB4U6DMlqnnEmZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ubb LqXLATFa.gif 40.47 KB MD5: 4b4b25152164a33796841f5322cd5bba
SHA1: 05d66763e4cb4f1fa8e832700d10f7585d9e987a
SHA256: ab81bf1c98f8eb5bf8532916c60db53d35aab29cdbe463bfcf9b0365cad93800
SSDeep: 768:S0GUqTmdsz8cnZc4vTHaHwgEwWDZ/z52dWP9Wlx/Xitv/UwtUM0bfFe86SAVD5UI:7GCd6PHaQgEpZ5iWP9WltXgvM7M0bfsN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms 28.28 KB MD5: 5feca77b21c9b9bb823d69a2b6ecd235
SHA1: 03750576dc4eec7b7243c58901e71f6ae174630e
SHA256: bd10f902867d24171e940b152330ba3e25fe72d6ed7f4f9272c6c2a3b5c24e20
SSDeep: 768:kwsb7LCHJJkAeC7HcqefTdf6QDKTsXV/AYQO:kwOOpJkkefRfLu4XlAYQO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\JakbC0D35mXemqu.odp 21.08 KB MD5: 5d24b6719cfad5e9c00f0f3aa8a0c638
SHA1: 646745456f4d98f94bf84a1f0b8eb418ceea2779
SHA256: f4f78b523920c1e45f42adc18cdfb7a1025964e1c6c7ca243ceb20e4e14899b6
SSDeep: 384:D1Up3+nB4Mze28822zRSJ319caoX+C2YtVKIB453k12Sl:DMunhe2x2VHcaoXv2IVnB4pu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 0.69 KB MD5: bf5dbcd3e8597ec72a7f6c2d1fb55372
SHA1: 57815e2cf9871b18fc180cfa0b9b9285b20b8b5d
SHA256: 6abe5e1ae4d46156a20dc439bdd6c80b539975886b208c4d4832fddb81d0eb1a
SSDeep: 12:j2/qqvGo7Fu+jPATWSkS365nzmzBnIK4hLJV8TUeDrDnB5J489hWl5eeJf/+guhD:gPF5FY3QzmzSjhFSTUunB5JhLWDXuhqa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\nZS Qg-Nz.csv 54.42 KB MD5: f04508c7fb0e26b9cf784a46dac3b9c1
SHA1: 519178a32d246d052b08110b0d528d658858db0c
SHA256: 6526838da47f00733a777a3ce32d3a5f76025d743fa4823d3350127330050c6c
SSDeep: 1536:uSuoSdPGUzvwzCR4KkusGHYqt2VWzTyQe7cI:QFVodOswYsJTyQe1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ciqVdTiucu.xls 50.64 KB MD5: 5f0a3c1274d4b79ec8ca2b5cdfec6463
SHA1: 4f7499b3b9f563305d007535249a3c83b829a828
SHA256: 2d7ad0373e50985b8c2d51b37f01b23607e629ddd4c820b8b577aa82e98863b0
SSDeep: 1536:GpG9yFYhqvvtRsqYhLnaoPACRQ86dOG7prj7wEZ:G4cWGtZYNFPAqQ86OGP7/Z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb 1.02 MB MD5: e795de80362c2e9cd8c921d1cc82ce43
SHA1: d62d0ddcf4e40a59fc64bff7f7924df1ff95c921
SHA256: f40556f3253c9cf84a687a3a5b956998d87fd226b03580503f60503c51e08dd0
SSDeep: 24576:RQUAc46qMNoIEo65Ks30zVRyHDclTA6w6b6jlMH9j1dHa:RQr6vNcqaAVcHSTZtb6xMRdHa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\lrvSnpo0bTofGgXiVtm.m4a 16.41 KB MD5: 287375b917daf327aeca9eaa0e286f99
SHA1: 7f18dc724e9820d045d7925154f13ebfa6b70591
SHA256: 6830286a18ed303fe3cb56347c38384e3c3f68ad3a403d0b4c3a0ec8c5643913
SSDeep: 384:AmUfA/yAP1QqjRfZNzP8AubttzSJOtUq7hEVY:jUfyyAP91zP8Bbt5muUQsY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Cth-M8.mp3 19.88 KB MD5: cc54a6d4170bb01e6bac5587a1d32924
SHA1: 552ee64a8f4b81fbeff241ee40453c1a45386e1c
SHA256: 0eefe608297ab4fae37187ede0e6d0ae75bf6f57e7f44c291dabafd43aa2470e
SSDeep: 384:bTsE/dqWL/1zzw5ptlkFheGdjU9q4aLTrdbcIxiMLN6sDlwfAgPs:Hs+LtzwDtlkb5uq4CtrxBxFMAgPs 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.66 KB MD5: 7304aeb6409394830b7c7613a6881929
SHA1: 66bd667987e668c23934464ece8c8c8b2a32302b
SHA256: d0f537c2aef8a641768e57aff2abc7279a9e06f349fe2c47e088f251675d0130
SSDeep: 12:MN/K/odEnqlEeL/quhktbMiw3ZnvIvN2LiGMaSQIoVLXkFw4qGPENnVm5Tlhdf4L:MC/sEnqlEeLipwZSN2+GDFVjkhP6U5xW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.69 KB MD5: a52fd238fb02c3a99db9808f9c828234
SHA1: cb688627ef639a9e83a3872b9ba65b7d459f4383
SHA256: 0461ada691bb3e0ccc85d95349e824b7dc4f91640b858f63fa4851cc17c5eb37
SSDeep: 12:Q2CVHtiMCxVz4cAyeazx3CH46jOOGb3a4fNkVsR4SxdvTtNX5iMujjvYHdHHdn:EHRi+cxeazx3CY9K4f3TtSZYR9n 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 0.66 KB MD5: d6ce4c8d22ff03539244c442a25d621f
SHA1: 80add62b6508fc556677c1bd3295b65117313bb7
SHA256: cc134ea0b9d83e72c336ae437f9487bc9cd884cb2e235e897a42a6689b2386bf
SSDeep: 12:7J27OygUfshunxBFKiwMaBJd9KLNAGu3L+fxjlsoniiSbxM3ML/iQakxxK:MOUj4JCSUxioiiS1gML/iTky 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 2.00 KB MD5: fe9549cadd1fea73a67f430194f8a869
SHA1: 35e208ef0bd40506580101f258d31650e76fdc90
SHA256: d315b04ca4ccbe413e3a511d53aa6b7896d0f55b2a9df09e6102aec02db4ac2c
SSDeep: 48:niu47IAHTFr/Co8ov0BbKoLZv/FTOs9VtECvRG:niu4kiTFrqo8fhXV/FT99gCvRG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 0.66 KB MD5: db4ddc660b92fb578e549fa45371c2ef
SHA1: 5b7485f4254b719b03600073f64393b9d065b73d
SHA256: cd42941e5bc63f72ece8d6135e9dc9c7e7079f8b86335b5c6a1124cb4572d5b2
SSDeep: 12:NZL+F5Vqr3UjP72L9cpgS/0ShdoB5jfrJFFgMnMY+v6+Y+thgc:NlO5I4zU9206qlfrTCMndQqc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.66 KB MD5: 7e746e3dc36a97c0099d9c2e712052df
SHA1: 1127ef86ac6a47176a12dbbf458f5d057a6c4891
SHA256: 6b31e71d5a003eaf75f8cb6a18c17e8a615386fcc157d424442927e59c86a0c5
SSDeep: 12:4+bgJqrkWK5VTfUElBRRApNUNtU2EG9Fh3PCom2KkrB9iETjzX3HENTxRtLSGE:w8kL1lqIe2BFhdjSETjzHENta7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.txt 12.21 KB MD5: 36c8e97d8d1a5cccedcf9cebc340b97b
SHA1: d928809f5ff2c04949e0f494a5f51d529e2ea5a6
SHA256: 96cf21f8b8b4b3e7852f0805d307c417f7dbffcc6081baa6f7c558c2e14c5867
SSDeep: 192:DMMP1cB/xzKSzmE0XnZWeT3gxh4qlrJ7AawS7nXALvvZyD8LmCZ:DbP+9xugv0sfzLwuXcvriCZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 0.66 KB MD5: 028ffb49f045f8ee2aa1b6901eb81c1c
SHA1: 2b2335c2ab37d1c646a2cc74f208c9bb0ce5bdcc
SHA256: a21b24975bf736430c16343a8d31e7f772244c88fd5d9a38e65693cdf75d4eb1
SSDeep: 12:Inu6DSckC5FyUO0JkzUK6G36UMHMHIbO6pjtlCKQAlBIrmPg19vHVkjRiVhmK:IxDSckC5FtDOUK6s/MHfy6XlCYB5akAj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat 0.53 KB MD5: 0bcc5afb08465b12d84d2d7d43187baf
SHA1: 2319105edd7e4068882aa4689d4e80af24cb67e6
SHA256: ccddd2d463f3e1b31ff6c82321ee99f99ea3c23122c5a2a546a1b95acb8f7a27
SSDeep: 12:zuiUXUXBB3Y18G2B+VSTJUjEpa1J8lSsnL6QylcttWl1/WM6U0zV45gRd:zv1BBoGG2BTJUj0aLUNWz+M65L 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\09_Music_played_the_most.wpl 1.28 KB MD5: 2593fcabe091f88ef5fbee7a2fed329d
SHA1: ac655f9cb75412d0dcc80a9bab0741fdd0fa4e24
SHA256: 3df861a0abf6d637edaa704301679d6679e7205d42c9782c3fc8df8a715c17b7
SSDeep: 24:12sGbh/KUZ70JgHVu49GCRkgPMb1TVydD5KfGBLXs4SCepwbS/G4P+4wOV4lmRu:Y/hip+AtgIwl5KebxiwevNgsu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.66 KB MD5: 75412a04728b8de7928ecdaf15896235
SHA1: af0488cc31137bbc15af628621d98935d3959cf6
SHA256: 267688dd2c896d6c3ca2eda6a3c7e1b6d181d50a1debd33ec16ce3bba3e8f716
SSDeep: 12:hsOf1A4Msgm+3R0rB+Cv5eklcLufrWDomLPgJi4T6FDOfIsd3hGNBe:eOf1A4Mk8R0F+ChCLuiDomsZpfIsEBe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 0.53 KB MD5: da1917e598ab20a15433b3ea95fda4e5
SHA1: 6479aedec59bc0854bd37a509074f2764d092b4a
SHA256: dab5109c2471eaa79a58d35559beb78232de24b611ffe8448d72a8c863e6e3d3
SSDeep: 12:s9DZPzB9wnW/3OdA610T2X1XUbhEewPf7lUZ/7:s95XaW/QjlXgqDl+D 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.66 KB MD5: 89350ce4d3d3b0c87a9827ad412611da
SHA1: 8d38607faaab5877f757c5dfd0e49dd47b361237
SHA256: cefdf646c23379e099fc79d8257d8e6c09e47d546c0f7f9d54f4ff2d93b9baf0
SSDeep: 12:Fu1s1JZTJUUlo0JVdzUE6mRnmjDv9E/aR0gDKosiOZZmo8Ez18o6ao:Fu1SJNJ9o0J8E6mRnmV5DBrORo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi 0.46 KB MD5: 87aa0a493b2f9de33af008c9b232d1ef
SHA1: e5f32bb2395f81812e048c7c3b1a4dd3a42b5cb4
SHA256: 5671d75ba98b35598c80ed8426c3e078f091f7bb20a4c554838ab51e82e4dc08
SSDeep: 12:lvLJETwRveB1ixfZI0zxX705a5f9WS2E9j+/8EBtnQn:hMwRv3TxXea5FEIjwnQn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 1.91 KB MD5: 391ea80b535175555be393554b2f20e8
SHA1: caef734e92b300d21723e815cfa6e1a5629e180f
SHA256: bd1bffe328b8a03af4e26b2f30e68cae6835d9940450319c3330c4ca4ae732f9
SSDeep: 24:UYlSw2EUbL6wxgpqsdhyVzEY6aBCYTMZzxhjIBBd64N6PejvUcikMxGYcWlzh1bt:BlS371MNuF8ZKvQmjZig3WjYBHwV5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 0.69 KB MD5: 10ba22517689f55477df8f8be44d57af
SHA1: 6b6ad6025df943ec646a9eeabd6048a5d7a1714f
SHA256: 9a3f335283acf285b0202f102d96720f4c841e283626c9f598349ad8486d2204
SSDeep: 12:7QXfMeRHzhJIKY+d3bgeyQxsHwlAoLA/5fAGF82Fkq2q+McOD3oAbJ8hmUcNVnlK:7YMeRHPCrnRfZe2GlWTj8cUcNVn7w 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\_Ov1226 P.gif 19.03 KB MD5: d149a9acdbd18a857d6052083522d299
SHA1: 09b9c8c708f24cfa33ac82f4003e319099a79067
SHA256: bf1df3d4ee73562f6fc723df3c8018e082dcdfe0cacb35a920be5a4fe848e637
SSDeep: 384:aEyRRSKOF+y8wzPZzigi7M4rfzvDOXZ7DwoWJTtMA4i3gqPjVxJVyo9lxx:rRiy8wzxuZHD0Z7DZWNtMA40gEVYWx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\oarSaFPIX.m4a 91.17 KB MD5: 29488b08f3781b74960ef182914f4df3
SHA1: 2273b0eea1bf16ec8f075e0754717a99a846ecfd
SHA256: e912aa40bbb7910c4ca4e1d68a31ee9a43c7e4fad1a942a33d8ab2fea15dc89b
SSDeep: 1536:DRgxUOT5kDTQwvrMW+bsdvATUU8ydjEr3pepYmt3ecCjWT7Y35fALy9supP9rkph:DRgxT9gQQ+b2AgU8yi3IpY43bc5LWU9+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\fbbe72db-afd8-443b-88dd-64b20388700d 0.74 KB MD5: c140f6fd1eea45971bda6618f8ff4f53
SHA1: 383a32378eadef176e7a07c0c22458cbaf58f940
SHA256: 6107554a4bd1b0e309a4a55a94896bcccfa040d75b431cbd743e233b1f7894df
SSDeep: 12:srJJZnJiefgnVYsTKNNvEakuE4D/QQoZtWy5hD2sTqUWBFMe492S9wD2EzQKJUX6:kXJJgVY0CkLUUttgsOUOMV9dvPr6C9E 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 0.63 KB MD5: e1dc0ff9d946a8874432ba29c0799c78
SHA1: 5941da5cb0ab68ef720dd775e3ab162f939e0fbc
SHA256: 7c2acc197c49d686797ff0e436b6955188f1e5c269adb23d5a3d1c19ba251a36
SSDeep: 12:jQmJivMTTU/aE8a6jxMj4OxjE8tfABow8iZIHNPwyGe9CjT5X98fwx:sOPqn8ah069toBow8i2BhGeMHj8fwx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 1.75 KB MD5: 6f4d2792f70ebbff8caae56f6f2b3f75
SHA1: f83e17f5caf5614018ad8bcc0001d8489ece5bb4
SHA256: 0389e5e9ce563e0f885b5047c39a0724d25f0788828907b27e692a06fe923bdf
SSDeep: 24:YBsPCUG/LRK/Z00CITVqsWoSQtgWg1pAt98AZlzR13CeaF1Pko5i6Y8SpyGetdGS:/PiBXiWoKWm4egX3aMo5+tewAOyGA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 1.67 KB MD5: d6d84db8e04a778831522666833b50f2
SHA1: 71b7f8fd8c282ba1aeb738ece91eb9bd5145285e
SHA256: 3995fcd3aa6f1291c85bccc6d459913fc8d9b4257d0efb7422ade08cd4f4021b
SSDeep: 48:VTqO/YHKykperTERw+LOmV2U6WukbSSporDb8z:ViHKyFToOmV6WPYK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Kmz-qcWsXscs.wav 17.38 KB MD5: 75e9912211c85620626794dd3bd3125f
SHA1: 927c5d7792a2eb6a9a8cf28546f3c59d05147d83
SHA256: 5786dfe5daa2ef2728382f5a34366431be39a3e01a2575634f566a10d29c276f
SSDeep: 384:O8H1SdQmh4yIoVl++2EmHZyQL7p9pZ/kXDemnQMq1G4j:xHdmWT+2EmNL7p9pZ/aC1GQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\bSR6WIzKyY.gif 43.56 KB MD5: e7b2588cb6670fd7575f09d2adfc8c43
SHA1: d91610f415d5b65ab2cc49f499443967883296f7
SHA256: 5c75177581d40baaef394b66daa83e26b6ceb0c96dbe388f2a9c99f310bcf584
SSDeep: 768:o1PQKzHIOlcOlP3eFGmzjlD0Vlvt11oBTOSzUiXB9USNXk14M8g02p8yMQGokMu3:mzHIOlcO8ljtQSacU4zUQ0143V2pPMxJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 2.00 KB MD5: 0d6d5543bc43f4da378cc144f6f41383
SHA1: 97950ce6460e10ed031f2a49f3d5f5a5c8526d2a
SHA256: 3d31e22299026c1afd32eab3253af4aa0c4d7370f08eecf899e0e170fa1ff604
SSDeep: 48:Q63JdjpyfpuPJn/dnMZVqJQTc7a0UfLJziO/fMKTsFX6QGE:Q65djplxwseTb3fNzx/fM1FXfGE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: 17c1467cc3ae3ef64337e63a07b0dcbd
SHA1: 023638137772d0da99d591bdd59de59a9b7ff7e7
SHA256: 12ed6e87ad4ef9edff28e9c4823b32fbe51c0ff2c701b1ea554fe033feb719f7
SSDeep: 24:sh1eNB1C/w3SpVQlCTYoVodRulx16bPTf4Iz1WBtC1EUdQle+Uanx23vmpHWirk:sCf1C/w31dwertz1WvuEuqx23dig 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\sHIudeg.avi 89.02 KB MD5: f30dc5a332c7512fc78457d556825388
SHA1: 7e5e9f08589b054cae4d357faefdfa685d131f03
SHA256: 9507c0ba6f52bf26dcdbd963209704df38da53365ca3beafa66a6d8f42217d49
SSDeep: 1536:KBMXslasq+wn/gQ73diZqFwJm5d1BxJxHvRg8L/nfLaULLkwTv88xxlNxCJaw4la:K+8lasqBr39wW1BxJxHv3L/nfLaUMKUv 		False
...
Host Behavior
File (5582)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 25
Fn
Create C:\Boot\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\bootmgr desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\hiberfil.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\pagefile.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 27
Fn
Create C:\Program Files\Common Files\Microsoft Shared\DW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EURO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.WPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Help\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 38
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUAUTH.CAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 22
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\ProjectMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\ProPlusrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\VisioMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\VisiorWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_EN.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT532.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT632.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 46
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\THEMES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\MSB1ARFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\MSB1FRAR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1AR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\FM20.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBCN6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBENDF98.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBHW6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBUI6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\BIGFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\CHINESET.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\EXTFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\GBCBIG.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\IC-TXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\ICAD.FMP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGDTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTMTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\verisign.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\System\ado\adojavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\adovbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado20.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado21.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado25.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado26.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado27.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadomd28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadox28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcjavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handler.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handsafe.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\MSMAPI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\MSMAPI\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqloledb.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\audiodepthconverter.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\bod_r.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\directshowtap.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\DVD Maker\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Eurosti.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\fieldswitch.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\offset.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsink.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsource.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\SecretST.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\Common.fxh desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveAnother.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveNoise.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 16
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
For performance reasons, the remaining 2119 entries are omitted.
The remaining entries can be found in glog.xml.
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #414: net1.exe
17 0
»
Information Value
ID #414
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x274
Parent PID 0xa74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 944
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
private_0x0000000000730000 0x00730000 0x0073ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160166 True 1
Fn
Process #415: net1.exe
17 0
»
Information Value
ID #415
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x7a8
Parent PID 0x488 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160213 True 1
Fn
Process #416: net1.exe
17 0
»
Information Value
ID #416
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x968
Parent PID 0xbf8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160400 True 1
Fn
Process #417: net1.exe
17 0
»
Information Value
ID #417
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0xb24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe10000 0xffe42fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6d0000 0x7fefb6e1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160306 True 1
Fn
Process #418: taskhost.exe
89 0
»
Information Value
ID #418
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Injection
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0x4a4
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E50
0x FF4
0x E0C
0x A4C
0x 99C
0x 53C
0x 7D4
0x 7BC
0x 76C
0x 768
0x 760
0x 4E0
0x 4CC
0x 4C0
0x 4A8
0x C94
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
msutb.dll.mui 0x00190000 0x00191fff Memory Mapped File rw False False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001bb0000 0x01bb0000 0x01fa2fff Pagefile Backed Memory r True False False -
private_0x0000000001fc0000 0x01fc0000 0x0203ffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x021affff Private Memory rw True False False -
pagefile_0x00000000021b0000 0x021b0000 0x0228efff Pagefile Backed Memory r True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
kernelbase.dll.mui 0x024c0000 0x0257ffff Memory Mapped File rw False False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
private_0x0000000002640000 0x02640000 0x0264ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
private_0x0000000002770000 0x02770000 0x027effff Private Memory rw True False False -
private_0x0000000002890000 0x02890000 0x0290ffff Private Memory rw True False False -
private_0x0000000002930000 0x02930000 0x029affff Private Memory rw True False False -
private_0x00000000029c0000 0x029c0000 0x02a3ffff Private Memory rw True False False -
sortdefault.nls 0x02a40000 0x02d0efff Memory Mapped File r False False False -
private_0x0000000002d80000 0x02d80000 0x02dfffff Private Memory rw True False False -
private_0x0000000002e30000 0x02e30000 0x02eaffff Private Memory rw True False False -
private_0x0000000002f90000 0x02f90000 0x0300ffff Private Memory rw True False False -
private_0x0000000003020000 0x03020000 0x0309ffff Private Memory rw True False False -
private_0x00000000030b0000 0x030b0000 0x0312ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xff7e0000 0xff7f3fff Memory Mapped File rwx False False False -
private_0x000000013f060000 0x13f060000 0x13f095fff Private Memory rwx True False False -
winmm.dll 0x7fef8080000 0x7fef80bafff Memory Mapped File rwx False False False -
msutb.dll 0x7fef8bb0000 0x7fef8becfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fef8bf0000 0x7fef8bfafff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fef8f70000 0x7fef8f7afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fef9030000 0x7fef9047fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb040000 0x7fefb04afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb0d0000 0x7fefb0e4fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb200000 0x7fefb326fff Memory Mapped File rwx False False False -
dimsjob.dll 0x7fefb6b0000 0x7fefb6bdfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fefb700000 0x7fefb70bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fefb8c0000 0x7fefb933fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f060000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f0619a0 True 1
Fn
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 3
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (8)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 3
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #419: reg.exe
13 0
»
Information Value
ID #419
File Name c:\windows\system32\reg.exe
Command Line REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9c4
Parent PID 0x840 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
reg.exe.mui 0x000f0000 0x000f8fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01ae0000 0x01daefff Memory Mapped File r False False False -
kernelbase.dll.mui 0x01db0000 0x01e6ffff Memory Mapped File rw False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
reg.exe 0xffe70000 0xffec5fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 39 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos, data = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 96, type = REG_SZ True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0xffe70000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:43:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 160618 True 1
Fn
Process #420: taskeng.exe
86 0
»
Information Value
ID #420
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Injection
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:24
OS Process Information
»
Information Value
PID 0x59c
Parent PID 0x374 (Unknown)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A50
0x 2AC
0x 5F4
0x 5F0
0x 5B4
0x 5A8
0x 5A0
0x 98C
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ec2fff Pagefile Backed Memory r True False False -
private_0x0000000001ed0000 0x01ed0000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
sortdefault.nls 0x02290000 0x0255efff Memory Mapped File r False False False -
private_0x00000000025a0000 0x025a0000 0x0261ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
private_0x00000000026e0000 0x026e0000 0x0275ffff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x028bffff Private Memory rw True False False -
pagefile_0x00000000028c0000 0x028c0000 0x0299efff Pagefile Backed Memory r True False False -
private_0x0000000002a10000 0x02a10000 0x02a8ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskeng.exe 0xffcf0000 0xffd63fff Memory Mapped File rwx False False False -
private_0x000000013f060000 0x13f060000 0x13f095fff Private Memory rwx True False False -
tschannel.dll 0x7fef7bb0000 0x7fef7bb8fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefab80000 0x7fefab89fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
xmllite.dll 0x7fefbaa0000 0x7fefbad4fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd0e0000 0x7fefd14cfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f060000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x914 address = 0x13f0619a0 True 1
Fn
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 2
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Process #422: fmoac.exe
474 0
»
Information Value
ID #422
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:38, Reason: Autostart
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:01:30
OS Process Information
»
Information Value
PID 0x77c
Parent PID 0x708 (c:\program files (x86)\windows defender\dev.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 780
0x 61C
0x 4E4
0x 468
0x 6D8
0x 45C
0x 640
0x 130
0x 32C
0x 324
0x 7BC
0x 274
0x 32C
0x 818
0x 84C
0x 884
0x 8DC
0x 8FC
0x 928
0x 974
0x 99C
0x 9C0
0x A24
0x A48
0x A64
0x A8C
0x AC8
0x AEC
0x B2C
0x B48
0x B9C
0x BB8
0x BF4
0x 91C
0x 9F0
0x A64
0x B48
0x C1C
0x C30
0x C48
0x C80
0x CCC
0x CEC
0x D14
0x D4C
0x D68
0x D94
0x DA8
0x DD8
0x E08
0x E24
0x EF8
0x F10
0x F38
0x F74
0x C58
0x D68
0x 6D4
0x 910
0x 858
0x 8CC
0x 5F4
0x 88C
0x 754
0x 874
0x 814
0x 8E8
0x 314
0x 5F8
0x C88
0x 330
0x 7E8
0x A78
0x C20
0x EC0
0x F48
0x F18
0x DE4
0x FA4
0x FB8
0x A30
0x FD0
0x E10
0x FD4
0x CB0
0x B0C
0x 714
0x BDC
0x BD4
0x 9A8
0x B60
0x C7C
0x 8F8
0x BBC
0x BF0
0x AB8
0x A88
0x 968
0x B88
0x BA8
0x DCC
0x 8F4
0x B24
0x A3C
0x CA8
0x C38
0x 9EC
0x EDC
0x F7C
0x DA0
0x F3C
0x DBC
0x F6C
0x CAC
0x B48
0x 90C
0x 404
0x 88C
0x 7F0
0x 814
0x 880
0x 144
0x 79C
0x C88
0x A8C
0x 9D4
0x C20
0x EC0
0x 980
0x DAC
0x E84
0x FB4
0x FC0
0x C68
0x 950
0x A2C
0x DF8
0x FE4
0x 714
0x A44
0x C84
0x C34
0x 1C8
0x 8D4
0x 58C
0x ECC
0x A14
0x DC4
0x BBC
0x AF8
0x AB8
0x A90
0x C54
0x 8DC
0x AA0
0x A54
0x C74
0x B2C
0x CE4
0x C28
0x A74
0x BA4
0x C9C
0x 8A4
0x BFC
0x C3C
0x B58
0x F74
0x D98
0x F34
0x D14
0x DE8
0x 914
0x 88C
0x E58
0x E60
0x DB4
0x DD8
0x A08
0x 330
0x 7B4
0x 834
0x 980
0x DAC
0x 95C
0x E80
0x E6C
0x D78
0x D74
0x CC0
0x FD4
0x CF0
0x A6C
0x A44
0x DF0
0x 948
0x 7E0
0x CBC
0x D88
0x 8D4
0x 644
0x 448
0x 820
0x ECC
0x 878
0x BB8
0x DB8
0x D48
0x B20
0x AB8
0x C2C
0x FF0
0x 4F0
0x AA8
0x D84
0x B18
0x A34
0x 84C
0x BA8
0x B04
0x A7C
0x 868
0x CE8
0x AC0
0x 350
0x F74
0x C58
0x C80
0x 90C
0x D24
0x 7CC
0x E58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00085fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File r False False False -
oleaccrc.dll 0x00220000 0x00220fff Memory Mapped File r False False False -
pagefile_0x0000000000220000 0x00220000 0x00225fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000240000 0x00240000 0x00246fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00260000 0x00263fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x00270000 0x0028efff Memory Mapped File r True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x002a0000 0x002a3fff Memory Mapped File r True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x004b0000 0x004dffff Memory Mapped File r True False False -
pagefile_0x00000000004e0000 0x004e0000 0x004e0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x004f0fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00500000 0x00503fff Memory Mapped File r True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01c60000 0x01f2efff Memory Mapped File r False False False -
pagefile_0x0000000001f30000 0x01f30000 0x0200efff Pagefile Backed Memory r True False False -
private_0x0000000002010000 0x02010000 0x0210ffff Private Memory rw True False False -
rsaenh.dll 0x02010000 0x02054fff Memory Mapped File r False False False -
private_0x0000000002030000 0x02030000 0x0212ffff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02130000 0x02195fff Memory Mapped File r True False False -
private_0x00000000021d0000 0x021d0000 0x022cffff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
pagefile_0x0000000002350000 0x02350000 0x02742fff Pagefile Backed Memory r True False False -
private_0x0000000002760000 0x02760000 0x0285ffff Private Memory rw True False False -
private_0x0000000002870000 0x02870000 0x0296ffff Private Memory rw True False False -
private_0x0000000002970000 0x02970000 0x02a6ffff Private Memory rw True False False -
private_0x0000000002990000 0x02990000 0x02a8ffff Private Memory rw True False False -
private_0x0000000002aa0000 0x02aa0000 0x02b9ffff Private Memory rw True False False -
private_0x0000000002ba0000 0x02ba0000 0x02c9ffff Private Memory rw True False False -
private_0x0000000002bc0000 0x02bc0000 0x02cbffff Private Memory rw True False False -
private_0x0000000002be0000 0x02be0000 0x02cdffff Private Memory rw True False False -
private_0x0000000002c20000 0x02c20000 0x02d1ffff Private Memory rw True False False -
private_0x0000000002c50000 0x02c50000 0x02d4ffff Private Memory rw True False False -
private_0x0000000002c60000 0x02c60000 0x02d5ffff Private Memory rw True False False -
private_0x0000000002ca0000 0x02ca0000 0x02d9ffff Private Memory rw True False False -
private_0x0000000002cb0000 0x02cb0000 0x02daffff Private Memory rw True False False -
private_0x0000000002cc0000 0x02cc0000 0x02dbffff Private Memory rw True False False -
private_0x0000000002ce0000 0x02ce0000 0x02ddffff Private Memory rw True False False -
private_0x0000000002d40000 0x02d40000 0x02e3ffff Private Memory rw True False False -
private_0x0000000002d60000 0x02d60000 0x02e5ffff Private Memory rw True False False -
private_0x0000000002d80000 0x02d80000 0x02e7ffff Private Memory rw True False False -
private_0x0000000002de0000 0x02de0000 0x02edffff Private Memory rw True False False -
private_0x0000000002eb0000 0x02eb0000 0x02faffff Private Memory rw True False False -
private_0x0000000002ec0000 0x02ec0000 0x02fbffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
psapi.dll 0x77dd0000 0x77dd6fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
fmoac.exe 0x13f0c0000 0x13f0f5fff Memory Mapped File rwx True True False
...
ieframe.dll 0x7fef4180000 0x7fef4d36fff Memory Mapped File rwx False False False -
oleacc.dll 0x7fef5360000 0x7fef53b3fff Memory Mapped File rwx False False False -
oleacc.dll 0x7fef5e30000 0x7fef5e83fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef5e90000 0x7fef6a46fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa380000 0x7fefa3d6fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fefb350000 0x7fefb352fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefb9e0000 0x7fefba0cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc510000 0x7fefc63bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc690000 0x7fefc883fff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcf10000 0x7fefcf2dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb60000 0x7fefdb6efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefdc00000 0x7fefdc0efff Memory Mapped File rwx False False False -
devobj.dll 0x7fefdc10000 0x7fefdc29fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdd80000 0x7fefddb5fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefddc0000 0x7fefdf26fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
wldap32.dll 0x7fefe320000 0x7fefe371fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe460000 0x7feff1e7fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff510000 0x7feff6e6fff Memory Mapped File rwx False False False -
wininet.dll 0x7feff6f0000 0x7feff819fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
urlmon.dll 0x7feffad0000 0x7feffc47fff Memory Mapped File rwx False False False -
iertutil.dll 0x7feffcc0000 0x7fefff18fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\users\Public\PUBLIC size = 276 True 1
Fn
Data
Write C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE size = 1444 True 1
Fn
Data
Delete - - False 1
Fn
Process (289)
»
Operation Process Additional Information Success Count Logfile
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create C:\Windows\System32\cmd.exe show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\dev.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\java\java update\jusched.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\java\java update\jusched.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Thread (2)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\taskhost.exe proc_address = 0x13f0c19a0, proc_parameter = 5352718336, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\conhost.exe proc_address = 0x13f0c19a0, proc_parameter = 5352718336, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (6)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\taskhost.exe address = 0x13f0c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\conhost.exe address = 0x13f0c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\net.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\common files\java\java update\jusched.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Write c:\windows\system32\taskhost.exe address = 0x13f0c0000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\conhost.exe address = 0x13f0c0000, size = 221184 True 1
Fn
Data
Module (114)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fefb350000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x77af0000 True 2
Fn
Load advapi32 base_address = 0x0 False 1
Fn
Load advapi32 base_address = 0x7fefe380000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load kernel32.dll base_address = 0x77af0000 True 2
Fn
Load mpr.dll base_address = 0x7fefb000000 True 1
Fn
Load advapi32.dll base_address = 0x7fefe380000 True 1
Fn
Load ole32.dll base_address = 0x7fefe110000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe460000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefb500000 True 1
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe base_address = 0x13f0c0000 True 4
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 260 True 2
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 320 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77b07190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x77b0bd90 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x77c4cac0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77b13520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x77b3b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x77af91d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77b07070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77b12dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77b01260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7fefe388140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x77afad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x77b0bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x77b0c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77b08070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77b01910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x77b067a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7fefe38dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x77c340f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x77b3bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x77b88840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefb50e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x77afd910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x77b3bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x77af94e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7fefe391fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77b01500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefe39c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77b12f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7fefe391ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefe3a0710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x77b85620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x77b037a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x77b88d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7fefe3bb6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7fefe3819bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77b12b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77b05cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe47983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x77aff9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x77af80c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x77b0bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77b01170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x77b064a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe6bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x77b065e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77b07700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x77b131f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77af9b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x77b135a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x77afb930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefb0041a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7fefe3a06f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefb0042dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x77af82b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77af2d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefe39b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77b01150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77b12b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x77b0bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x77b0bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7fefe38d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77af3060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefb003e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefe12a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7fefe3bb6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7fefe38af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x77afaf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x77af92d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77b06620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77b11bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x77afad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77b06580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7fefe38afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe137490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77b01870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x77b013e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7fefe3bb650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7fefe38bbb0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (28)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 300 milliseconds (0.300 seconds) True 19
Fn
Get Time type = System Time, time = 2018-11-27 08:44:56 (UTC) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 4
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #423: taskkill.exe
0 0
»
Information Value
ID #423
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:03:06, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x448
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 458
0x 404
0x 808
0x 860
0x 864
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00430000 0x004effff Memory Mapped File rw False False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
sortdefault.nls 0x01e00000 0x020cefff Memory Mapped File r False False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory rw True False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef9b10000 0x7fef9b23fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #424: taskkill.exe
0 0
»
Information Value
ID #424
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x78c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 63C
0x 754
0x 804
0x 858
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002d0000 0x002d0000 0x0034ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001c80000 0x01c80000 0x01cfffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
sortdefault.nls 0x01ec0000 0x0218efff Memory Mapped File r False False False -
private_0x00000000021e0000 0x021e0000 0x0225ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef9b10000 0x7fef9b23fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #425: taskkill.exe
0 0
»
Information Value
ID #425
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x174
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 218
0x 58C
0x 40C
0x 6D4
0x 61C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00120000 0x001dffff Memory Mapped File rw False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory r True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef9b10000 0x7fef9b23fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef9e30000 0x7fef9f11fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #426: taskkill.exe
0 0
»
Information Value
ID #426
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:47, Reason: Child Process
Unmonitor End Time: 00:03:06, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x334
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 344
0x 5F4
0x 80C
0x 868
0x 86C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0049ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01f2ffff Private Memory rw True False False -
sortdefault.nls 0x01f30000 0x021fefff Memory Mapped File r False False False -
private_0x0000000002330000 0x02330000 0x023affff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #427: taskkill.exe
0 0
»
Information Value
ID #427
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:47, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7c8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7C0
0x 640
0x 3A8
0x 838
0x 83C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00720fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000730000 0x00730000 0x01b2ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b30000 0x01beffff Memory Mapped File rw False False False -
private_0x0000000001c20000 0x01c20000 0x01c9ffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #428: taskkill.exe
0 0
»
Information Value
ID #428
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:48, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7b4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D8
0x 81C
0x 88C
0x 8BC
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x00370fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
private_0x0000000001b70000 0x01b70000 0x01beffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bf0000 0x01caffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory rw True False False -
sortdefault.nls 0x02080000 0x0234efff Memory Mapped File r False False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #429: taskkill.exe
0 0
»
Information Value
ID #429
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:48, Reason: Child Process
Unmonitor End Time: 00:03:08, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x784
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 538
0x 820
0x 890
0x 8CC
0x 8D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00190000 0x0024ffff Memory Mapped File rw False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000460000 0x00460000 0x00460fff Pagefile Backed Memory r True False False -
private_0x00000000004b0000 0x004b0000 0x0052ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory r True False False -
private_0x0000000001c70000 0x01c70000 0x01ceffff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
sortdefault.nls 0x01e30000 0x020fefff Memory Mapped File r False False False -
private_0x0000000002110000 0x02110000 0x0218ffff Private Memory rw True False False -
private_0x00000000021b0000 0x021b0000 0x0222ffff Private Memory rw True False False -
private_0x00000000022a0000 0x022a0000 0x0231ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #431: taskkill.exe
0 0
»
Information Value
ID #431
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:49, Reason: Child Process
Unmonitor End Time: 00:03:08, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5f8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 130
0x 89C
0x 8D4
0x 908
0x 90C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x002a0000 0x0035ffff Memory Mapped File rw False False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007c0000 0x007c0000 0x01bbffff Pagefile Backed Memory r True False False -
private_0x0000000001c20000 0x01c20000 0x01c9ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
sortdefault.nls 0x01f80000 0x0224efff Memory Mapped File r False False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #432: taskkill.exe
0 0
»
Information Value
ID #432
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:50, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x810
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 814
0x 8A0
0x 8D8
0x 910
0x 914
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b90000 0x01c4ffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
sortdefault.nls 0x01ec0000 0x0218efff Memory Mapped File r False False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #433: taskkill.exe
0 0
»
Information Value
ID #433
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:50, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x830
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
0x 930
0x 93C
0x 960
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01f2ffff Private Memory rw True False False -
sortdefault.nls 0x01f30000 0x021fefff Memory Mapped File r False False False -
private_0x0000000002280000 0x02280000 0x022fffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #434: taskkill.exe
0 0
»
Information Value
ID #434
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:50, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x870
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 874
0x 994
0x 9AC
0x 9F4
0x 9F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001c20000 0x01c20000 0x01c9ffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #435: taskkill.exe
0 0
»
Information Value
ID #435
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:51, Reason: Child Process
Unmonitor End Time: 00:03:07, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C8
0x 9A0
0x 9E0
0x A04
0x A08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
kernelbase.dll.mui 0x01cb0000 0x01d6ffff Memory Mapped File rw False False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
sortdefault.nls 0x01e30000 0x020fefff Memory Mapped File r False False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #436: taskkill.exe
0 0
»
Information Value
ID #436
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:51, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8f4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F8
0x 9B8
0x 9E8
0x A14
0x A18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00210000 0x002cffff Memory Mapped File rw False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory r True False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01f2ffff Private Memory rw True False False -
private_0x0000000001ff0000 0x01ff0000 0x0206ffff Private Memory rw True False False -
private_0x00000000020c0000 0x020c0000 0x0213ffff Private Memory rw True False False -
sortdefault.nls 0x02140000 0x0240efff Memory Mapped File r False False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #437: taskkill.exe
0 0
»
Information Value
ID #437
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:51, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x920
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 924
0x 9E4
0x A00
0x A2C
0x A30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ad0000 0x01b8ffff Memory Mapped File rw False False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001bf0000 0x01bf0000 0x01c6ffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #439: taskkill.exe
0 0
»
Information Value
ID #439
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:52, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 970
0x A20
0x A50
0x A6C
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c50000 0x01d0ffff Memory Mapped File rw False False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #440: taskkill.exe
0 0
»
Information Value
ID #440
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:52, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x984
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 988
0x A68
0x AA8
0x AFC
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #441: taskkill.exe
0 0
»
Information Value
ID #441
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:52, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B4
0x A84
0x AAC
0x AF4
0x AF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #442: taskkill.exe
0 0
»
Information Value
ID #442
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:53, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9DC
0x A90
0x AB8
0x B0C
0x B10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #443: taskkill.exe
0 0
»
Information Value
ID #443
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:53, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A38
0x B30
0x B68
0x B80
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #444: taskkill.exe
0 0
»
Information Value
ID #444
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:54, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa5c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A60
0x B14
0x B4C
0x B70
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #445: taskkill.exe
0 0
»
Information Value
ID #445
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:54, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa7c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A80
0x B20
0x B60
0x B78
0x B7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #446: taskkill.exe
0 0
»
Information Value
ID #446
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:54, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xac0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AC4
0x BA0
0x BC8
0x BD4
0x BD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #447: taskkill.exe
0 0
»
Information Value
ID #447
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:54, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE8
0x BBC
0x BCC
0x BDC
0x BE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #448: taskkill.exe
0 0
»
Information Value
ID #448
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:55, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
0x 8DC
0x 928
0x A24
0x A44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #449: taskkill.exe
0 0
»
Information Value
ID #449
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:55, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B44
0x BF0
0x 884
0x 714
0x 43C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #450: taskkill.exe
0 0
»
Information Value
ID #450
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb90
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B94
0x 99C
0x 51C
0x AEC
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #451: taskkill.exe
0 0
»
Information Value
ID #451
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbb0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB4
0x 4F0
0x 9C0
0x 7E0
0x 7DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #452: taskkill.exe
0 0
»
Information Value
ID #452
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Child Process
Unmonitor End Time: 00:03:09, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbe8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BEC
0x A78
0x AC8
0x 91C
0x 9F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #453: taskkill.exe
0 0
»
Information Value
ID #453
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Child Process
Unmonitor End Time: 00:03:10, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x82c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 818
0x B9C
0x A64
0x C14
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #454: taskkill.exe
0 0
»
Information Value
ID #454
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x974
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A8
0x C04
0x C24
0x C5C
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #455: taskkill.exe
0 0
»
Information Value
ID #455
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x548
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1C8
0x C10
0x C4C
0x C64
0x C68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #456: taskkill.exe
0 0
»
Information Value
ID #456
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:58, Reason: Child Process
Unmonitor End Time: 00:03:10, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B3C
0x C50
0x C70
0x C88
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #457: taskkill.exe
0 0
»
Information Value
ID #457
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:58, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7bc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E4
0x C84
0x CB0
0x CBC
0x CC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #458: taskkill.exe
0 0
»
Information Value
ID #458
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:59, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc28
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C2C
0x D08
0x D28
0x D44
0x D48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #459: taskkill.exe
0 0
»
Information Value
ID #459
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:59, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C44
0x CC8
0x CDC
0x D18
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x00140000 0x00184fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001c80000 0x01c80000 0x01cfffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
private_0x0000000001ff0000 0x01ff0000 0x0206ffff Private Memory rw True False False -
sortdefault.nls 0x02070000 0x0233efff Memory Mapped File r False False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #460: taskkill.exe
0 0
»
Information Value
ID #460
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:59, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc78
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C7C
0x D0C
0x D2C
0x D50
0x D54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #461: taskkill.exe
0 0
»
Information Value
ID #461
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:59, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc9c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CA0
0x D10
0x D34
0x D74
0x D78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #462: taskkill.exe
0 0
»
Information Value
ID #462
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:00, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcd4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CD8
0x DB8
0x DC4
0x DF8
0x DFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #463: taskkill.exe
0 0
»
Information Value
ID #463
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:00, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CFC
0x DAC
0x DC0
0x DE0
0x DE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #464: taskkill.exe
0 0
»
Information Value
ID #464
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:00, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd3c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D40
0x DF0
0x E10
0x E34
0x E38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #465: taskkill.exe
0 0
»
Information Value
ID #465
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:00, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd60
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D64
0x DF4
0x E28
0x E3C
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #466: taskkill.exe
0 0
»
Information Value
ID #466
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:01, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd8c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D90
0x F3C
0x F5C
0x F78
0x F7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #467: taskkill.exe
0 0
»
Information Value
ID #467
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:01, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xda0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DA4
0x F40
0x F60
0x F88
0x F8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #468: taskkill.exe
0 0
»
Information Value
ID #468
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:01, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DD4
0x F44
0x F68
0x F94
0x F98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
pagefile_0x00000000003d0000 0x003d0000 0x00557fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x01aeffff Pagefile Backed Memory r True False False -
private_0x0000000001b70000 0x01b70000 0x01beffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bf0000 0x01caffff Memory Mapped File rw False False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x01fcffff Private Memory rw True False False -
sortdefault.nls 0x01fd0000 0x0229efff Memory Mapped File r False False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff260000 0xff27efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef61b0000 0x7fef62d4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef62e0000 0x7fef632bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef9b10000 0x7fef9b23fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef9df0000 0x7fef9dfefff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef9e30000 0x7fef9f11fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fefa0a0000 0x7fefa125fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd9f0000 0x7fefd9fafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #469: net.exe
0 0
»
Information Value
ID #469
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:02, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:09
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #470: net.exe
0 0
»
Information Value
ID #470
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:02, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:10
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe1c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #471: net.exe
0 0
»
Information Value
ID #471
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:08, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #472: net.exe
0 0
»
Information Value
ID #472
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:09, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #473: net1.exe
17 0
»
Information Value
ID #473
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf18
Parent PID 0xe00 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc20000 0xffc52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 50637 True 1
Fn
Process #474: net1.exe
17 0
»
Information Value
ID #474
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf20
Parent PID 0xe1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc20000 0xffc52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 50700 True 1
Fn
Process #475: net.exe
0 0
»
Information Value
ID #475
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf30
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #476: net1.exe
17 0
»
Information Value
ID #476
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0xee4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc20000 0xffc52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 50684 True 1
Fn
Process #477: net.exe
0 0
»
Information Value
ID #477
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf6c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #478: net.exe
0 0
»
Information Value
ID #478
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:11, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb48
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #479: net1.exe
17 0
»
Information Value
ID #479
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:11, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xc3c
Parent PID 0xf6c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 52931 True 1
Fn
Process #480: net1.exe
17 0
»
Information Value
ID #480
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd24
Parent PID 0xf30 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 52962 True 1
Fn
Process #481: net1.exe
17 0
»
Information Value
ID #481
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd14
Parent PID 0xf08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 53024 True 1
Fn
Process #482: net.exe
0 0
»
Information Value
ID #482
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd80
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #483: net.exe
0 0
»
Information Value
ID #483
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #484: net.exe
0 0
»
Information Value
ID #484
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x61c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #485: net1.exe
17 0
»
Information Value
ID #485
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:13, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0xb48 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 960
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffed0000 0xfff02fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffed0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 53679 True 1
Fn
Process #486: net.exe
0 0
»
Information Value
ID #486
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #487: net.exe
0 0
»
Information Value
ID #487
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x83c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #488: net1.exe
17 0
»
Information Value
ID #488
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Health Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8d0
Parent PID 0xd80 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff950000 0xff982fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff950000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 53945 True 1
Fn
Process #489: net1.exe
17 0
»
Information Value
ID #489
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe78
Parent PID 0xdb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff460000 0xff492fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff460000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 54116 True 1
Fn
Process #490: net1.exe
17 0
»
Information Value
ID #490
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9f8
Parent PID 0x61c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff460000 0xff492fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff460000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 54163 True 1
Fn
Process #491: net.exe
0 0
»
Information Value
ID #491
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 69C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #492: net.exe
0 0
»
Information Value
ID #492
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe18
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #493: net1.exe
17 0
»
Information Value
ID #493
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x318
Parent PID 0x83c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 54834 True 1
Fn
Process #494: net1.exe
17 0
»
Information Value
ID #494
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Message Router" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x408
Parent PID 0x964 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 640
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 54709 True 1
Fn
Process #495: net.exe
0 0
»
Information Value
ID #495
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3a8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #496: net1.exe
17 0
»
Information Value
ID #496
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x804
Parent PID 0xa08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 63C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 54896 True 1
Fn
Process #497: net.exe
0 0
»
Information Value
ID #497
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x994
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #498: net1.exe
17 0
»
Information Value
ID #498
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9a0
Parent PID 0xe18 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 55037 True 1
Fn
Process #499: net.exe
0 0
»
Information Value
ID #499
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #500: net.exe
0 0
»
Information Value
ID #500
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x218
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 778
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #501: net.exe
0 0
»
Information Value
ID #501
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcronisAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x848
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 644
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #502: net1.exe
17 0
»
Information Value
ID #502
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:16, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x448
Parent PID 0x3a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 144
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 55520 True 1
Fn
Process #503: net.exe
0 0
»
Information Value
ID #503
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x718
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 824
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #504: net1.exe
17 0
»
Information Value
ID #504
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x878
Parent PID 0x994 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 55848 True 1
Fn
Process #505: net1.exe
17 0
»
Information Value
ID #505
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x870
Parent PID 0x8a0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 92C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 55895 True 1
Fn
Process #506: net1.exe
17 0
»
Information Value
ID #506
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x894
Parent PID 0x218 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 55926 True 1
Fn
Process #507: net1.exe
17 0
»
Information Value
ID #507
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcronisAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0x848 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 56144 True 1
Fn
Process #508: net.exe
0 0
»
Information Value
ID #508
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Antivirus /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9f0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #509: net.exe
0 0
»
Information Value
ID #509
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ARSM /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:16, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x34c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 528
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #510: net.exe
0 0
»
Information Value
ID #510
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x158
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #511: net.exe
0 0
»
Information Value
ID #511
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa64
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 818
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #512: net.exe
0 0
»
Information Value
ID #512
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc08
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #513: net1.exe
17 0
»
Information Value
ID #513
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ARSM /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x534
Parent PID 0x34c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 898
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 58141 True 1
Fn
Process #514: net1.exe
17 0
»
Information Value
ID #514
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Antivirus /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbe8
Parent PID 0x9f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 58188 True 1
Fn
Process #515: net1.exe
17 0
»
Information Value
ID #515
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcrSch2Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x32c
Parent PID 0x718 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 58422 True 1
Fn
Process #516: net.exe
0 0
»
Information Value
ID #516
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #517: net1.exe
17 0
»
Information Value
ID #517
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf2c
Parent PID 0xa64 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff500000 0xff532fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff500000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 58703 True 1
Fn
Process #518: net1.exe
17 0
»
Information Value
ID #518
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf54
Parent PID 0x158 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff500000 0xff532fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff500000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 58734 True 1
Fn
Process #519: net.exe
0 0
»
Information Value
ID #519
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #520: net.exe
0 0
»
Information Value
ID #520
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #521: net1.exe
17 0
»
Information Value
ID #521
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecJobEngine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xefc
Parent PID 0xef8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff750000 0xff782fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff750000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 58983 True 1
Fn
Process #522: net.exe
0 0
»
Information Value
ID #522
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #523: net.exe
0 0
»
Information Value
ID #523
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop bedbg /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #524: net1.exe
17 0
»
Information Value
ID #524
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xa14
Parent PID 0xc08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffff0000 0x100022fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffff0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 59202 True 1
Fn
Process #525: net1.exe
17 0
»
Information Value
ID #525
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecRPCService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0xf14 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 59420 True 1
Fn
Process #526: net1.exe
17 0
»
Information Value
ID #526
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecManagementService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd54
Parent PID 0xf38 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 59389 True 1
Fn
Process #527: net.exe
0 0
»
Information Value
ID #527
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop DCAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe3c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #528: net.exe
0 0
»
Information Value
ID #528
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPSecurityService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #529: net1.exe
17 0
»
Information Value
ID #529
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecVSSProvider /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xaec
Parent PID 0xfa0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffff0000 0x100022fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffff0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 59670 True 1
Fn
Process #530: net1.exe
17 0
»
Information Value
ID #530
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop bedbg /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc5c
Parent PID 0xdc0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffff0000 0x100022fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffff0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 59732 True 1
Fn
Process #531: net.exe
0 0
»
Information Value
ID #531
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPUpdateService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd18
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #532: net.exe
0 0
»
Information Value
ID #532
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe94
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #533: net1.exe
17 0
»
Information Value
ID #533
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPSecurityService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd40
Parent PID 0xfbc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 60029 True 1
Fn
Process #534: net1.exe
17 0
»
Information Value
ID #534
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop DCAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0xe3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 60107 True 1
Fn
Process #535: net.exe
0 0
»
Information Value
ID #535
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EsgShKernel /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd88
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #536: net.exe
0 0
»
Information Value
ID #536
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop FA_Scheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc34
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #537: net.exe
0 0
»
Information Value
ID #537
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IISAdmin /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb84
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #538: net1.exe
17 0
»
Information Value
ID #538
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EraserSvc11710 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb10
Parent PID 0xe94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 60465 True 1
Fn
Process #539: net1.exe
17 0
»
Information Value
ID #539
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPUpdateService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xafc
Parent PID 0xd18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 60497 True 1
Fn
Process #540: net.exe
0 0
»
Information Value
ID #540
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IMAP4Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #541: net.exe
0 0
»
Information Value
ID #541
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop macmnsvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #542: net1.exe
17 0
»
Information Value
ID #542
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EsgShKernel /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbe0
Parent PID 0xd88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 60824 True 1
Fn
Process #543: net1.exe
17 0
»
Information Value
ID #543
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop FA_Scheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0xc34 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 60855 True 1
Fn
Process #544: net.exe
0 0
»
Information Value
ID #544
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop masvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 36C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #545: net.exe
0 0
»
Information Value
ID #545
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBAMService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #546: net.exe
0 0
»
Information Value
ID #546
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb94
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #547: net1.exe
17 0
»
Information Value
ID #547
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IISAdmin /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:21, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa80
Parent PID 0xb84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 61121 True 1
Fn
Process #548: net1.exe
17 0
»
Information Value
ID #548
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop macmnsvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe28
Parent PID 0xd48 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff10000 0xfff42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 61308 True 1
Fn
Process #549: net.exe
0 0
»
Information Value
ID #549
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd0c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #550: net1.exe
17 0
»
Information Value
ID #550
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IMAP4Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd10
Parent PID 0xaf8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff10000 0xfff42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 61448 True 1
Fn
Process #551: net.exe
0 0
»
Information Value
ID #551
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #552: net1.exe
17 0
»
Information Value
ID #552
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop masvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0xa70 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff10000 0xfff42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 61807 True 1
Fn
Process #553: net1.exe
17 0
»
Information Value
ID #553
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBAMService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xc04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff10000 0xfff42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6a80000 0x7fef6a91fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 61729 True 1
Fn
Process #554: net.exe
0 0
»
Information Value
ID #554
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x928
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #555: net.exe
0 0
»
Information Value
ID #555
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McShield /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #556: net1.exe
17 0
»
Information Value
ID #556
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBEndpointAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0xb94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 62275 True 1
Fn
Process #557: net.exe
0 0
»
Information Value
ID #557
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McTaskManager /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 988
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #558: net1.exe
17 0
»
Information Value
ID #558
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9dc
Parent PID 0x9b8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 62337 True 1
Fn
Process #559: net.exe
0 0
»
Information Value
ID #559
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfemms /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7bc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #560: net1.exe
17 0
»
Information Value
ID #560
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeEngineService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0xd0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 62728 True 1
Fn
Process #561: net1.exe
17 0
»
Information Value
ID #561
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb08
Parent PID 0x928 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 62759 True 1
Fn
Process #562: net1.exe
17 0
»
Information Value
ID #562
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McShield /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xab4
Parent PID 0x9c0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 978
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 62790 True 1
Fn
Process #563: net.exe
0 0
»
Information Value
ID #563
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfevtp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcd0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #564: net.exe
0 0
»
Information Value
ID #564
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MMS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb8c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #565: net1.exe
17 0
»
Information Value
ID #565
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McTaskManager /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9bc
Parent PID 0xaa8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 63196 True 1
Fn
Process #566: net1.exe
17 0
»
Information Value
ID #566
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfemms /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0x7bc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 63211 True 1
Fn
Process #567: net.exe
0 0
»
Information Value
ID #567
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mozyprobackup /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb90
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 84C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #568: net.exe
0 0
»
Information Value
ID #568
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa7c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #569: net1.exe
17 0
»
Information Value
ID #569
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MMS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x920
Parent PID 0xb8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4a0000 0xff4d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 63757 True 1
Fn
Process #570: net1.exe
17 0
»
Information Value
ID #570
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfevtp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcd4
Parent PID 0xcd0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4a0000 0xff4d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 63710 True 1
Fn
Process #571: net.exe
0 0
»
Information Value
ID #571
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc9c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #572: net.exe
0 0
»
Information Value
ID #572
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #573: net1.exe
17 0
»
Information Value
ID #573
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mozyprobackup /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc28
Parent PID 0xb90 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 64678 True 1
Fn
Process #574: net.exe
0 0
»
Information Value
ID #574
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeES /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbb0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #575: net1.exe
17 0
»
Information Value
ID #575
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0xc9c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 64802 True 1
Fn
Process #576: net1.exe
17 0
»
Information Value
ID #576
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa40
Parent PID 0xa7c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 64849 True 1
Fn
Process #577: net1.exe
17 0
»
Information Value
ID #577
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer110 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xa98
Parent PID 0x96c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 934
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff860000 0xff892fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff860000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 64740 True 1
Fn
Process #578: net.exe
0 0
»
Information Value
ID #578
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeIS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd7c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #579: net.exe
0 0
»
Information Value
ID #579
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #580: net.exe
0 0
»
Information Value
ID #580
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #581: net1.exe
17 0
»
Information Value
ID #581
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeES /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:25, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdec
Parent PID 0xbb0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 868
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x00000000006a0000 0x006a0000 0x006affff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 65239 True 1
Fn
Process #582: net.exe
0 0
»
Information Value
ID #582
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf88
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #583: net.exe
0 0
»
Information Value
ID #583
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #584: net1.exe
17 0
»
Information Value
ID #584
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeIS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf98
Parent PID 0xd7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffcf0000 0xffd22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffcf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 65442 True 1
Fn
Process #585: net.exe
0 0
»
Information Value
ID #585
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd24
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #586: net1.exe
17 0
»
Information Value
ID #586
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMGMT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd68
Parent PID 0xadc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 65879 True 1
Fn
Process #587: net1.exe
17 0
»
Information Value
ID #587
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMTA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdd4
Parent PID 0x9d0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 65941 True 1
Fn
Process #588: net1.exe
17 0
»
Information Value
ID #588
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe0c
Parent PID 0xf88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 65988 True 1
Fn
Process #589: net.exe
0 0
»
Information Value
ID #589
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #590: net1.exe
17 0
»
Information Value
ID #590
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSRS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf58
Parent PID 0x86c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5a0000 0xff5d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 66253 True 1
Fn
Process #591: net.exe
0 0
»
Information Value
ID #591
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xccc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #592: net.exe
0 0
»
Information Value
ID #592
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf9c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #593: net.exe
0 0
»
Information Value
ID #593
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x860
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #594: net1.exe
17 0
»
Information Value
ID #594
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0xd24 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff140000 0xff172fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff140000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 66503 True 1
Fn
Process #595: net.exe
0 0
»
Information Value
ID #595
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #596: net1.exe
17 0
»
Information Value
ID #596
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcec
Parent PID 0xde8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 66862 True 1
Fn
Process #597: net1.exe
17 0
»
Information Value
ID #597
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8cc
Parent PID 0x860 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 66846 True 1
Fn
Process #598: net.exe
0 0
»
Information Value
ID #598
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #599: net1.exe
17 0
»
Information Value
ID #599
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe4c
Parent PID 0xccc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 61C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff630000 0xff662fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff630000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 67158 True 1
Fn
Process #600: net.exe
0 0
»
Information Value
ID #600
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x864
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #601: net.exe
0 0
»
Information Value
ID #601
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe44
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #602: net1.exe
17 0
»
Information Value
ID #602
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x754
Parent PID 0xf9c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 67392 True 1
Fn
Process #603: net.exe
0 0
»
Information Value
ID #603
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9e0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 930
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #604: net1.exe
17 0
»
Information Value
ID #604
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x874
Parent PID 0xc1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 458
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 67626 True 1
Fn
Process #605: net1.exe
17 0
»
Information Value
ID #605
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0x864 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 67704 True 1
Fn
Process #606: net1.exe
17 0
»
Information Value
ID #606
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0xe08 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 67704 True 1
Fn
Process #607: net.exe
0 0
»
Information Value
ID #607
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x334
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #608: net1.exe
17 0
»
Information Value
ID #608
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8e8
Parent PID 0x9e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 40C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 68110 True 1
Fn
Process #609: net1.exe
17 0
»
Information Value
ID #609
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:28, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x5f0
Parent PID 0xe44 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 68016 True 1
Fn
Process #610: net.exe
0 0
»
Information Value
ID #610
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe18
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #611: net.exe
0 0
»
Information Value
ID #611
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x314
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #612: net.exe
0 0
»
Information Value
ID #612
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #613: net1.exe
17 0
»
Information Value
ID #613
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x644
Parent PID 0x334 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff280000 0xff2b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff280000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 68406 True 1
Fn
Process #614: net.exe
0 0
»
Information Value
ID #614
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x538
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 828
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #615: net.exe
0 0
»
Information Value
ID #615
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x820
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 93C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #616: net1.exe
17 0
»
Information Value
ID #616
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x89c
Parent PID 0xe18 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 740
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 68749 True 1
Fn
Process #617: net1.exe
17 0
»
Information Value
ID #617
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x78c
Parent PID 0x314 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 68843 True 1
Fn
Process #618: net.exe
0 0
»
Information Value
ID #618
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #619: net.exe
0 0
»
Information Value
ID #619
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x95c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #620: net1.exe
17 0
»
Information Value
ID #620
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x528
Parent PID 0xec8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 69139 True 1
Fn
Process #621: net.exe
0 0
»
Information Value
ID #621
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x734
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #622: net1.exe
17 0
»
Information Value
ID #622
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:30, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc50
Parent PID 0x820 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 824
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 69342 True 1
Fn
Process #623: net1.exe
17 0
»
Information Value
ID #623
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xa9c
Parent PID 0x538 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff70000 0xfffa2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 69904 True 1
Fn
Process #624: net.exe
0 0
»
Information Value
ID #624
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe88
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #625: net1.exe
17 0
»
Information Value
ID #625
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xea8
Parent PID 0x734 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff70000 0xfffa2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 69935 True 1
Fn
Process #626: net1.exe
17 0
»
Information Value
ID #626
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x440
Parent PID 0xb3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 738
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff70000 0xfffa2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 69966 True 1
Fn
Process #627: net1.exe
17 0
»
Information Value
ID #627
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0x95c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff70000 0xfffa2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 70075 True 1
Fn
Process #628: net.exe
0 0
»
Information Value
ID #628
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #629: net.exe
0 0
»
Information Value
ID #629
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #630: net.exe
0 0
»
Information Value
ID #630
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6f0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #631: net.exe
0 0
»
Information Value
ID #631
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #632: net1.exe
17 0
»
Information Value
ID #632
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe6c
Parent PID 0xe88 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 70668 True 1
Fn
Process #633: net1.exe
17 0
»
Information Value
ID #633
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0xf04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 70590 True 1
Fn
Process #634: net1.exe
17 0
»
Information Value
ID #634
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0xa18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 70699 True 1
Fn
Process #635: net.exe
0 0
»
Information Value
ID #635
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #636: net.exe
0 0
»
Information Value
ID #636
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #637: net1.exe
17 0
»
Information Value
ID #637
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0x6f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff280000 0xff2b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff280000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 71058 True 1
Fn
Process #638: net1.exe
17 0
»
Information Value
ID #638
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x944
Parent PID 0xfb0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff280000 0xff2b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff280000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 71198 True 1
Fn
Process #639: net.exe
0 0
»
Information Value
ID #639
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd20
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #640: net1.exe
17 0
»
Information Value
ID #640
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x958
Parent PID 0xde0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 71573 True 1
Fn
Process #641: net1.exe
17 0
»
Information Value
ID #641
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLSERVER /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe40
Parent PID 0xfc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 71448 True 1
Fn
Process #642: net.exe
0 0
»
Information Value
ID #642
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #643: net.exe
0 0
»
Information Value
ID #643
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb0c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 948
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #644: net.exe
0 0
»
Information Value
ID #644
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL57 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #645: net.exe
0 0
»
Information Value
ID #645
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ntrtscan /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbdc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #646: net1.exe
17 0
»
Information Value
ID #646
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd1c
Parent PID 0xd20 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 72150 True 1
Fn
Process #647: net1.exe
17 0
»
Information Value
ID #647
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0xfbc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 72181 True 1
Fn
Process #648: net.exe
0 0
»
Information Value
ID #648
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc90
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #649: net1.exe
17 0
»
Information Value
ID #649
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0xb0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 72368 True 1
Fn
Process #650: net.exe
0 0
»
Information Value
ID #650
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop PDVFSService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb74
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 51C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #651: net1.exe
17 0
»
Information Value
ID #651
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL57 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x924
Parent PID 0x7e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffcf0000 0xffd22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffcf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 72618 True 1
Fn
Process #652: net.exe
0 0
»
Information Value
ID #652
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop POP3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb84
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #653: net1.exe
17 0
»
Information Value
ID #653
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ntrtscan /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe8
Parent PID 0xbdc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff720000 0xff752fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff720000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 73070 True 1
Fn
Process #654: net1.exe
17 0
»
Information Value
ID #654
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop OracleClientCache80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd64
Parent PID 0xc90 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff720000 0xff752fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff720000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 72946 True 1
Fn
Process #655: net1.exe
17 0
»
Information Value
ID #655
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop PDVFSService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x894
Parent PID 0xb74 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 45C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff720000 0xff752fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff720000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 73164 True 1
Fn
Process #656: net.exe
0 0
»
Information Value
ID #656
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x878
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 870
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #657: net.exe
0 0
»
Information Value
ID #657
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8ec
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #658: net.exe
0 0
»
Information Value
ID #658
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc8c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 718
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #659: net1.exe
17 0
»
Information Value
ID #659
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa64
Parent PID 0x878 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 73928 True 1
Fn
Process #660: net1.exe
17 0
»
Information Value
ID #660
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop POP3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x158
Parent PID 0xb84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 73850 True 1
Fn
Process #661: net.exe
0 0
»
Information Value
ID #661
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #662: net1.exe
17 0
»
Information Value
ID #662
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbb8
Parent PID 0x8ec (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff530000 0xff562fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff530000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 74131 True 1
Fn
Process #663: net.exe
0 0
»
Information Value
ID #663
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #664: net.exe
0 0
»
Information Value
ID #664
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop RESvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd10
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #665: net1.exe
17 0
»
Information Value
ID #665
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc10
Parent PID 0xc8c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc50000 0xffc82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 74412 True 1
Fn
Process #666: net.exe
0 0
»
Information Value
ID #666
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sacsvr /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x99c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 36C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x005dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #667: net1.exe
17 0
»
Information Value
ID #667
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfec
Parent PID 0xef8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 74911 True 1
Fn
Process #668: net1.exe
17 0
»
Information Value
ID #668
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0xff8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 74974 True 1
Fn
Process #669: net1.exe
17 0
»
Information Value
ID #669
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop RESvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0xd10 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 75098 True 1
Fn
Process #670: net.exe
0 0
»
Information Value
ID #670
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SamSs /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #671: net.exe
0 0
»
Information Value
ID #671
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVAdminService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcd8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #672: net.exe
0 0
»
Information Value
ID #672
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:37, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd84
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #673: net1.exe
17 0
»
Information Value
ID #673
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sacsvr /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbe4
Parent PID 0x99c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 75707 True 1
Fn
Process #674: net1.exe
19 0
»
Information Value
ID #674
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SamSs /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa60
Parent PID 0x9b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (4)
»
Operation Additional Information Success Count Logfile
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 75863 True 1
Fn
Process #675: net.exe
0 0
»
Information Value
ID #675
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SDRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #676: net1.exe
17 0
»
Information Value
ID #676
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVAdminService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:36, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0xcd8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 998
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 75878 True 1
Fn
Process #677: net.exe
0 0
»
Information Value
ID #677
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SepMasterService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb28
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #678: net.exe
0 0
»
Information Value
ID #678
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ShMonitor /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x928
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #679: net.exe
0 0
»
Information Value
ID #679
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Smcinst /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:37, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #680: net1.exe
20 0
»
Information Value
ID #680
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SDRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x988
Parent PID 0x9c0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdc0000 0xffdf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 44 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 76502 True 1
Fn
Process #681: net1.exe
17 0
»
Information Value
ID #681
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaa8
Parent PID 0xd84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdc0000 0xffdf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 76612 True 1
Fn
Process #682: net.exe
0 0
»
Information Value
ID #682
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SmcService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #683: net.exe
0 0
»
Information Value
ID #683
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SMTPSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa0c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #684: net1.exe
17 0
»
Information Value
ID #684
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SepMasterService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbac
Parent PID 0xb28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff090000 0xff0c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff090000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 77033 True 1
Fn
Process #685: net1.exe
17 0
»
Information Value
ID #685
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Smcinst /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:37, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa48
Parent PID 0xcb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff090000 0xff0c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff090000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 77189 True 1
Fn
Process #686: net1.exe
17 0
»
Information Value
ID #686
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ShMonitor /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x974
Parent PID 0x928 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff090000 0xff0c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff090000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 77220 True 1
Fn
Process #687: net.exe
0 0
»
Information Value
ID #687
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SNAC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xce0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #688: net1.exe
17 0
»
Information Value
ID #688
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SmcService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb90
Parent PID 0xba8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 77516 True 1
Fn
Process #689: net.exe
0 0
»
Information Value
ID #689
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SntpService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x934
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #690: net.exe
0 0
»
Information Value
ID #690
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sophossps /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa40
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #691: net1.exe
17 0
»
Information Value
ID #691
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SMTPSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa7c
Parent PID 0xa0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 78140 True 1
Fn
Process #692: net1.exe
17 0
»
Information Value
ID #692
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SntpService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x990
Parent PID 0x934 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 78047 True 1
Fn
Process #693: net1.exe
17 0
»
Information Value
ID #693
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SNAC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0xce0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b30000 0x7fef6b41fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 78187 True 1
Fn
Process #694: net.exe
0 0
»
Information Value
ID #694
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #695: net.exe
0 0
»
Information Value
ID #695
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9ec
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 350
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #696: net.exe
0 0
»
Information Value
ID #696
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #697: net1.exe
17 0
»
Information Value
ID #697
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sophossps /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbb0
Parent PID 0xa40 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3c0000 0xff3f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 78733 True 1
Fn
Process #698: net.exe
0 0
»
Information Value
ID #698
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #699: net1.exe
17 0
»
Information Value
ID #699
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf40
Parent PID 0xb40 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3c0000 0xff3f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 78905 True 1
Fn
Process #700: net1.exe
17 0
»
Information Value
ID #700
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd04
Parent PID 0x9ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3c0000 0xff3f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6b10000 0x7fef6b21fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 79014 True 1
Fn
Process #701: net.exe
0 0
»
Information Value
ID #701
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #702: net1.exe
17 0
»
Information Value
ID #702
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf70
Parent PID 0xbc0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 79451 True 1
Fn
Process #703: net1.exe
17 0
»
Information Value
ID #703
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xddc
Parent PID 0xedc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 79482 True 1
Fn
Process #704: net.exe
0 0
»
Information Value
ID #704
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #705: net1.exe
17 0
»
Information Value
ID #705
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf88
Parent PID 0x97c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff330000 0xff362fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff330000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 79778 True 1
Fn
Process #706: net.exe
0 0
»
Information Value
ID #706
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #707: net.exe
0 0
»
Information Value
ID #707
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 86C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #708: net.exe
0 0
»
Information Value
ID #708
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #709: net1.exe
17 0
»
Information Value
ID #709
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x85c
Parent PID 0xf08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 80543 True 1
Fn
Process #710: net1.exe
17 0
»
Information Value
ID #710
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x5f4
Parent PID 0xf94 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 80558 True 1
Fn
Process #711: net1.exe
17 0
»
Information Value
ID #711
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8cc
Parent PID 0x9d0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9b0000 0xff9e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 80512 True 1
Fn
Process #712: net.exe
0 0
»
Information Value
ID #712
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x838
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #713: net.exe
0 0
»
Information Value
ID #713
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8bc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #714: net1.exe
17 0
»
Information Value
ID #714
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x404
Parent PID 0xe54 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdc0000 0xffdf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 81089 True 1
Fn
Process #715: net.exe
0 0
»
Information Value
ID #715
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd8c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #716: net1.exe
17 0
»
Information Value
ID #716
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x458
Parent PID 0x8bc (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 83C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdc0000 0xffdf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 81479 True 1
Fn
Process #717: net1.exe
17 0
»
Information Value
ID #717
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x838 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 640
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdc0000 0xffdf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 81494 True 1
Fn
Process #718: net.exe
0 0
»
Information Value
ID #718
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 344
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #719: net.exe
0 0
»
Information Value
ID #719
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf64
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #720: net.exe
0 0
»
Information Value
ID #720
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x69c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 318
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #721: net1.exe
17 0
»
Information Value
ID #721
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0xd8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 82196 True 1
Fn
Process #722: net1.exe
17 0
»
Information Value
ID #722
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x864
Parent PID 0xf64 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 408
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 82399 True 1
Fn
Process #723: net1.exe
17 0
»
Information Value
ID #723
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe78
Parent PID 0xc1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 82462 True 1
Fn
Process #724: net.exe
0 0
»
Information Value
ID #724
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5f0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #725: net.exe
0 0
»
Information Value
ID #725
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x130
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 144
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #726: net.exe
0 0
»
Information Value
ID #726
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x324
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 740
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #727: net1.exe
17 0
»
Information Value
ID #727
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSafeOLRService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc88
Parent PID 0x69c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2a0000 0xff2d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 83039 True 1
Fn
Process #728: net1.exe
17 0
»
Information Value
ID #728
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSERVERAGENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x890
Parent PID 0x5f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2a0000 0xff2d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 83070 True 1
Fn
Process #729: net.exe
0 0
»
Information Value
ID #729
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLWriter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 328
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #730: net1.exe
17 0
»
Information Value
ID #730
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x174
Parent PID 0x130 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3e0000 0xff412fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:45:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 83663 True 1
Fn
Process #731: net.exe
0 0
»
Information Value
ID #731
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SstpSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:43, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc20
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 898
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #732: net1.exe
17 0
»
Information Value
ID #732
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe9c
Parent PID 0x324 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 784
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3e0000 0xff412fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 83772 True 1
Fn
Process #733: net1.exe
17 0
»
Information Value
ID #733
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLWriter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0x7e8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3e0000 0xff412fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 83819 True 1
Fn
Process #734: net.exe
0 0
»
Information Value
ID #734
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop svcGenericHost /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #735: net.exe
0 0
»
Information Value
ID #735
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_filter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #736: net1.exe
20 0
»
Information Value
ID #736
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SstpSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x818
Parent PID 0xc20 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 70 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SSTPSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 84271 True 1
Fn
Process #737: net.exe
0 0
»
Information Value
ID #737
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_service /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #738: net1.exe
17 0
»
Information Value
ID #738
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop svcGenericHost /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xea0
Parent PID 0xee4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 84521 True 1
Fn
Process #739: net1.exe
17 0
»
Information Value
ID #739
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_filter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf24
Parent PID 0xe00 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 84536 True 1
Fn
Process #740: net.exe
0 0
»
Information Value
ID #740
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update_64 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #741: net.exe
0 0
»
Information Value
ID #741
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TmCCSF /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb7c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #742: net1.exe
17 0
»
Information Value
ID #742
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_service /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0xb5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 85238 True 1
Fn
Process #743: net.exe
0 0
»
Information Value
ID #743
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop tmlisten /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd50
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #744: net1.exe
17 0
»
Information Value
ID #744
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TmCCSF /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0xb7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 85426 True 1
Fn
Process #745: net1.exe
17 0
»
Information Value
ID #745
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update_64 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0xfac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 85488 True 1
Fn
Process #746: net.exe
0 0
»
Information Value
ID #746
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKey /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:45, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6f0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #747: net.exe
0 0
»
Information Value
ID #747
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa2c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 944
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #748: net1.exe
17 0
»
Information Value
ID #748
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop tmlisten /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0xd50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbd0000 0xffc02fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 85831 True 1
Fn
Process #749: net.exe
0 0
»
Information Value
ID #749
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #750: net.exe
0 0
»
Information Value
ID #750
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop UI0Detect /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe10
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #751: net1.exe
17 0
»
Information Value
ID #751
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKey /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb1c
Parent PID 0x6f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 850
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaa0000 0xffad2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 86362 True 1
Fn
Process #752: net1.exe
17 0
»
Information Value
ID #752
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x368
Parent PID 0xfc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 958
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaa0000 0xffad2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 86408 True 1
Fn
Process #753: net.exe
0 0
»
Information Value
ID #753
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #754: net1.exe
17 0
»
Information Value
ID #754
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyScheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:46, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe4
Parent PID 0xa2c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaa0000 0xffad2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 86549 True 1
Fn
Process #755: net.exe
0 0
»
Information Value
ID #755
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 43C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #756: net1.exe
17 0
»
Information Value
ID #756
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBackupSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0xde0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 87017 True 1
Fn
Process #757: net.exe
0 0
»
Information Value
ID #757
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc84
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #758: net1.exe
20 0
»
Information Value
ID #758
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop UI0Detect /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xeac
Parent PID 0xe10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 60 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = UI0DETECT True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 87329 True 1
Fn
Process #759: net.exe
0 0
»
Information Value
ID #759
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe3c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #760: net1.exe
17 0
»
Information Value
ID #760
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBrokerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb0c
Parent PID 0xd30 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 87422 True 1
Fn
Process #761: net.exe
0 0
»
Information Value
ID #761
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xffc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #762: net.exe
0 0
»
Information Value
ID #762
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3a8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
locale.nls 0x00290000 0x002f6fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #763: net1.exe
17 0
»
Information Value
ID #763
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCatalogSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfe8
Parent PID 0xc84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5e0000 0xff612fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 87656 True 1
Fn
Process #764: net1.exe
17 0
»
Information Value
ID #764
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCloudSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0xe3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5e0000 0xff612fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 87797 True 1
Fn
Process #765: net.exe
0 0
»
Information Value
ID #765
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc90
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #766: net.exe
0 0
»
Information Value
ID #766
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x51c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #767: net1.exe
17 0
»
Information Value
ID #767
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploySvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa80
Parent PID 0x3a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 88187 True 1
Fn
Process #768: net1.exe
17 0
»
Information Value
ID #768
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploymentService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x58c
Parent PID 0xffc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 88234 True 1
Fn
Process #769: net.exe
0 0
»
Information Value
ID #769
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9e0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #770: net.exe
0 0
»
Information Value
ID #770
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7d8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 314
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #771: net.exe
0 0
»
Information Value
ID #771
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x92c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #772: net1.exe
17 0
»
Information Value
ID #772
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8fc
Parent PID 0xc90 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 88686 True 1
Fn
Process #773: net1.exe
17 0
»
Information Value
ID #773
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamMountSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0x51c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b40000 0x7fef7b51fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 88780 True 1
Fn
Process #774: net.exe
0 0
»
Information Value
ID #774
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop W3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x734
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #775: net.exe
0 0
»
Information Value
ID #775
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x87c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 870
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #776: net1.exe
17 0
»
Information Value
ID #776
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamTransportSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x848
Parent PID 0x92c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 89232 True 1
Fn
Process #777: net1.exe
17 0
»
Information Value
ID #777
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamNFSSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x218
Parent PID 0x9e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 89310 True 1
Fn
Process #778: net1.exe
17 0
»
Information Value
ID #778
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamRESTSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbe8
Parent PID 0x7d8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 89232 True 1
Fn
Process #779: net.exe
0 0
»
Information Value
ID #779
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop WRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #780: net.exe
0 0
»
Information Value
ID #780
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8ec
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #781: net1.exe
20 0
»
Information Value
ID #781
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x970
Parent PID 0x87c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff710000 0xff742fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff710000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 89840 True 1
Fn
Process #782: net1.exe
17 0
»
Information Value
ID #782
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop W3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbbc
Parent PID 0x734 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff710000 0xff742fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff710000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 89965 True 1
Fn
Process #783: net.exe
0 0
»
Information Value
ID #783
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #784: net.exe
0 0
»
Information Value
ID #784
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #785: net1.exe
17 0
»
Information Value
ID #785
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xae8
Parent PID 0x8ec (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 90527 True 1
Fn
Process #786: net1.exe
17 0
»
Information Value
ID #786
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xebc
Parent PID 0xaf8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 90636 True 1
Fn
Process #787: net1.exe
17 0
»
Information Value
ID #787
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop WRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xee8
Parent PID 0xcc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 90589 True 1
Fn
Process #788: net.exe
0 0
»
Information Value
ID #788
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xca0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #789: net.exe
0 0
»
Information Value
ID #789
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb14
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #790: net.exe
0 0
»
Information Value
ID #790
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x99c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #791: net1.exe
17 0
»
Information Value
ID #791
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb30
Parent PID 0xbf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 91260 True 1
Fn
Process #792: net.exe
0 0
»
Information Value
ID #792
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQL Backups" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9dc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #793: net1.exe
17 0
»
Information Value
ID #793
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b8
Parent PID 0xca0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 91432 True 1
Fn
Process #794: net1.exe
17 0
»
Information Value
ID #794
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CXDB /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8dc
Parent PID 0xb14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 91556 True 1
Fn
Process #795: net1.exe
17 0
»
Information Value
ID #795
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x884
Parent PID 0x99c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 91572 True 1
Fn
Process #796: net.exe
0 0
»
Information Value
ID #796
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb88
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #797: net.exe
0 0
»
Information Value
ID #797
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbcc
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #798: net.exe
0 0
»
Information Value
ID #798
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaac
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #799: net1.exe
17 0
»
Information Value
ID #799
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQL Backups" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd0c
Parent PID 0x9dc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffcb0000 0xffce2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffcb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 91931 True 1
Fn
Process #800: net1.exe
17 0
»
Information Value
ID #800
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc4c
Parent PID 0xb88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffcb0000 0xffce2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffcb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 92212 True 1
Fn
Process #801: net1.exe
17 0
»
Information Value
ID #801
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc0c
Parent PID 0xbcc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffcb0000 0xffce2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffcb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 92274 True 1
Fn
Process #802: net.exe
0 0
»
Information Value
ID #802
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #803: net.exe
0 0
»
Information Value
ID #803
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop msftesql$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #804: net.exe
0 0
»
Information Value
ID #804
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd60
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #805: net1.exe
17 0
»
Information Value
ID #805
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9bc
Parent PID 0xaac (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff590000 0xff5c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff590000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 92804 True 1
Fn
Process #806: net1.exe
17 0
»
Information Value
ID #806
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x920
Parent PID 0xb24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff590000 0xff5c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff590000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 92992 True 1
Fn
Process #807: net.exe
0 0
»
Information Value
ID #807
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EhttpSrv /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc78
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #808: net1.exe
17 0
»
Information Value
ID #808
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop msftesql$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x990
Parent PID 0xb68 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff590000 0xff5c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff590000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 93023 True 1
Fn
Process #809: net.exe
0 0
»
Information Value
ID #809
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ekrn /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xca8
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #810: net.exe
0 0
»
Information Value
ID #810
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ESHASRV /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #811: net1.exe
20 0
»
Information Value
ID #811
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop NetMsmqActivator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb8c
Parent PID 0xd60 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 55 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = NETMSMQACTIVATOR True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 93506 True 1
Fn
Process #812: net1.exe
17 0
»
Information Value
ID #812
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EhttpSrv /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8a4
Parent PID 0xc78 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 248
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 93694 True 1
Fn
Process #813: net1.exe
17 0
»
Information Value
ID #813
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ekrn /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc94
Parent PID 0xca8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 93553 True 1
Fn
Process #814: net.exe
0 0
»
Information Value
ID #814
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd00
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #815: net.exe
0 0
»
Information Value
ID #815
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x20c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 2AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #816: net.exe
0 0
»
Information Value
ID #816
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AVP /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc3c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #817: net1.exe
17 0
»
Information Value
ID #817
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0xd00 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff280000 0xff2b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff280000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 94021 True 1
Fn
Process #818: net1.exe
17 0
»
Information Value
ID #818
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ESHASRV /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd7c
Parent PID 0x9c4 (c:\windows\system32\reg.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff280000 0xff2b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff280000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 94131 True 1
Fn
Process #819: net.exe
0 0
»
Information Value
ID #819
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop klnagent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd0
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #820: net.exe
0 0
»
Information Value
ID #820
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #821: net1.exe
17 0
»
Information Value
ID #821
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf3c
Parent PID 0x20c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 94318 True 1
Fn
Process #822: net1.exe
17 0
»
Information Value
ID #822
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AVP /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe64
Parent PID 0xc3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 94333 True 1
Fn
Process #823: net.exe
0 0
»
Information Value
ID #823
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd14
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 11C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #824: net.exe
0 0
»
Information Value
ID #824
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcec
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #825: net.exe
0 0
»
Information Value
ID #825
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop kavfsslp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf6c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 61C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #826: net1.exe
17 0
»
Information Value
ID #826
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop klnagent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe4c
Parent PID 0xdd0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 404
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 94801 True 1
Fn
Process #827: net1.exe
17 0
»
Information Value
ID #827
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x908
Parent PID 0xc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x00000000006b0000 0x006b0000 0x006bffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 94817 True 1
Fn
Process #828: net.exe
0 0
»
Information Value
ID #828
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFSGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf0c
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 88C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #829: net.exe
0 0
»
Information Value
ID #829
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x640
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #830: net1.exe
17 0
»
Information Value
ID #830
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop kavfsslp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf50
Parent PID 0xf6c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 910
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 95207 True 1
Fn
Process #831: net1.exe
20 0
»
Information Value
ID #831
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xeec
Parent PID 0xcec (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 838
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 95441 True 1
Fn
Process #832: net1.exe
17 0
»
Information Value
ID #832
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x860
Parent PID 0xd14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 95503 True 1
Fn
Process #833: net.exe
0 0
»
Information Value
ID #833
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfefire /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffde0000 0xffdfbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #834: cmd.exe
59 0
»
Information Value
ID #834
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x77c (c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b50000 0x01b50000 0x01e92fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File r False False False -
cmd.exe 0x49ea0000 0x49ef8fff Memory Mapped File rwx True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef6b50000 0x7fef6b57fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0xc1c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x49ea0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77af0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b06d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b023d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77af8290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b017e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 96549 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #835: taskhost.exe
90 0
»
Information Value
ID #835
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Injection
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0x49c
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ED8
0x ED4
0x EC4
0x 7A8
0x 6DC
0x 6B8
0x 6B0
0x 6AC
0x 6A8
0x 4CC
0x 4C4
0x 4C0
0x 4B0
0x 4A0
0x A04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory rw True False False -
private_0x0000000000240000 0x00240000 0x00240fff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x002dffff Private Memory rw True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00591fff Pagefile Backed Memory rw True False False -
msutb.dll.mui 0x005a0000 0x005a1fff Memory Mapped File rw False False False -
private_0x00000000005b0000 0x005b0000 0x005b0fff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005c0fff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x005d0fff Pagefile Backed Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01f72fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001f80000 0x01f80000 0x0205efff Pagefile Backed Memory r True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x0212ffff Private Memory rw True False False -
private_0x0000000002140000 0x02140000 0x0214ffff Private Memory rw True False False -
private_0x0000000002150000 0x02150000 0x021cffff Private Memory rw True False False -
kernelbase.dll.mui 0x021d0000 0x0228ffff Memory Mapped File rw False False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x00000000023c0000 0x023c0000 0x0243ffff Private Memory rw True False False -
private_0x0000000002480000 0x02480000 0x024fffff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x0259ffff Private Memory rw True False False -
private_0x0000000002610000 0x02610000 0x0268ffff Private Memory rw True False False -
private_0x00000000026d0000 0x026d0000 0x0274ffff Private Memory rw True False False -
private_0x00000000027c0000 0x027c0000 0x0283ffff Private Memory rw True False False -
private_0x00000000028c0000 0x028c0000 0x0293ffff Private Memory rw True False False -
private_0x0000000002970000 0x02970000 0x029effff Private Memory rw True False False -
private_0x0000000002a80000 0x02a80000 0x02afffff Private Memory rw True False False -
private_0x0000000002b20000 0x02b20000 0x02b9ffff Private Memory rw True False False -
sortdefault.nls 0x02ba0000 0x02e6efff Memory Mapped File r False False False -
private_0x0000000002f00000 0x02f00000 0x02f7ffff Private Memory rw True False False -
private_0x00000000030b0000 0x030b0000 0x0312ffff Private Memory rw True False False -
private_0x00000000031e0000 0x031e0000 0x0325ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xfffe0000 0xffff3fff Memory Mapped File rwx False False False -
private_0x000000013f0c0000 0x13f0c0000 0x13f0f5fff Private Memory rwx True False False -
dimsjob.dll 0x7fef92d0000 0x7fef92ddfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef9530000 0x7fef953bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef99a0000 0x7fef9a13fff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fefa800000 0x7fefa80afff Memory Mapped File rwx False False False -
msutb.dll 0x7fefa810000 0x7fefa84cfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fefa850000 0x7fefa85afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fefa910000 0x7fefa927fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winmm.dll 0x7fefb020000 0x7fefb05afff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb5e0000 0x7fefb5eafff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb6b0000 0x7fefb6c4fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb7a0000 0x7fefb8c6fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefbee0000 0x7fefbef0fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefc080000 0x7fefc097fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcf10000 0x7fefcf2dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefda20000 0x7fefda44fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefdb00000 0x7fefdb3cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefdb40000 0x7fefdb53fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb60000 0x7fefdb6efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefdc00000 0x7fefdc0efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefddc0000 0x7fefdf26fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe460000 0x7feff1e7fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff470000 0x7feff508fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feff820000 0x7feff8f6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Create Remote Thread #422: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x780 address = 0x13f0c19a0 True 1
Fn
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Write C:\users\Public\PUBLIC size = 276 True 1
Fn
Data
Write C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE size = 1444 True 1
Fn
Data
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77af0000 True 1
Fn
Load mpr.dll base_address = 0x7fefb000000 True 1
Fn
Load advapi32.dll base_address = 0x7fefe380000 True 1
Fn
Load ole32.dll base_address = 0x7fefe110000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe460000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefb500000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77b07070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77b12dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77b01260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7fefe388140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x77afad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x77b0bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x77b0c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77b08070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77b01910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x77b067a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7fefe38dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x77c340f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x77b3bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x77b88840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefb50e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x77afd910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x77b3bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x77af94e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7fefe391fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77b01500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefe39c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77b12f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7fefe391ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefe3a0710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x77b85620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x77b037a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x77b88d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7fefe3bb6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7fefe3819bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77b12b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77b05cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe47983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x77aff9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x77af80c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x77b0bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77b01170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x77b064a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe6bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x77b065e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77b07700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x77b131f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77af9b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x77b135a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x77afb930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefb0041a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7fefe3a06f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefb0042dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x77af82b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77af2d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefe39b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77b01150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77b12b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x77b0bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x77b0bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7fefe38d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77af3060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefb003e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefe12a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7fefe3bb6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7fefe38af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x77afaf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x77af92d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77b06620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77b11bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x77afad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77b06580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7fefe38afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe137490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77b01870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x77b013e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7fefe3bb650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7fefe38bbb0 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #836: net1.exe
17 0
»
Information Value
ID #836
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x804
Parent PID 0x640 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 408
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 96049 True 1
Fn
Process #837: net1.exe
17 0
»
Information Value
ID #837
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFSGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x40c
Parent PID 0xf0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75800000 0x75801fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75800000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 96283 True 1
Fn
Process #838: dwm.exe
93 0
»
Information Value
ID #838
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Injection
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0x6fc
Parent PID 0x33c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EB8
0x EB4
0x 710
0x 704
0x 700
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
rsaenh.dll 0x001a0000 0x001e4fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00417fff Pagefile Backed Memory r True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b00000 0x01b00000 0x01ef2fff Pagefile Backed Memory r True False False -
private_0x0000000001f00000 0x01f00000 0x01ffffff Private Memory rw True False False -
pagefile_0x0000000002000000 0x02000000 0x020defff Pagefile Backed Memory r True False False -
private_0x00000000021b0000 0x021b0000 0x0222ffff Private Memory rw True False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
sortdefault.nls 0x02440000 0x0270efff Memory Mapped File r False False False -
private_0x0000000002710000 0x02710000 0x0280ffff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x028bffff Private Memory rw True False False -
private_0x0000000002900000 0x02900000 0x0297ffff Private Memory rw True False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
psapi.dll 0x77dd0000 0x77dd6fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
dwm.exe 0xffd00000 0xffd22fff Memory Mapped File rwx False False False -
private_0x000000013f0c0000 0x13f0c0000 0x13f0f5fff Private Memory rwx True False False -
dxgi.dll 0x7fefab50000 0x7fefabf6fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7fefac00000 0x7fefac54fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x7fefac60000 0x7fefac93fff Memory Mapped File rwx False False False -
dwmcore.dll 0x7fefada0000 0x7fefaf31fff Memory Mapped File rwx False False False -
dwmredir.dll 0x7fefafd0000 0x7fefaff6fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefb000000 0x7fefb017fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb4f0000 0x7fefb4fafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb500000 0x7fefb526fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fefbf10000 0x7fefc039fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefc080000 0x7fefc097fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd20000 0x7fefcd2bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcf10000 0x7fefcf2dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd170000 0x7fefd1b6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd470000 0x7fefd486fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda50000 0x7fefda5efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb60000 0x7fefdb6efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefdc00000 0x7fefdc0efff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefdcd0000 0x7fefdd09fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefddc0000 0x7fefdf26fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe110000 0x7fefe312fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe460000 0x7feff1e7fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #422: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x780 address = 0x13f0c0000, size = 221184 True 1
Fn
Data
Create Remote Thread #422: c:\users\5p5nrgjn0js halpmcxz\desktop\fmoac.exe 0x780 address = 0x13f0c19a0 True 1
Fn
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Write C:\users\Public\PUBLIC size = 276 True 1
Fn
Data
Write C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE size = 1444 True 1
Fn
Data
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77af0000 True 1
Fn
Load mpr.dll base_address = 0x7fefb000000 True 1
Fn
Load advapi32.dll base_address = 0x7fefe380000 True 1
Fn
Load ole32.dll base_address = 0x7fefe110000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe460000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefb500000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77b07070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77b12dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77b01260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7fefe388140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x77afad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x77b0bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x77b0c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77b08070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77b01910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x77b067a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7fefe38dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x77c340f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x77b3bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x77b88840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefb50e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x77afd910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x77b3bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x77af94e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7fefe391fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77b01500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefe39c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77b12f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7fefe391ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefe3a0710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x77b85620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x77b037a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x77b88d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7fefe3bb6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7fefe3819bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77b12b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77b05cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe47983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x77aff9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x77af80c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x77b0bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77b01170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x77b064a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe6bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x77b065e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77b07700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x77b131f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77af9b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x77b135a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x77afb930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefb0041a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7fefe3a06f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefb0042dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x77af82b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77af2d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefe39b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77b01150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77b12b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x77b0bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x77b0bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7fefe38d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77af3060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefb003e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefe12a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7fefe3bb6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7fefe38af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x77afaf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x77af92d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77b06620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77b11bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x77afad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77b06580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7fefe38afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe137490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77b01870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x77b013e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7fefe3bb650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7fefe38bbb0 True 1
Fn
System (8)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 4
Fn
Process #839: net1.exe
17 0
»
Information Value
ID #839
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfefire /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe78
Parent PID 0xe60 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75810000 0x75811fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff980000 0xff9b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef7b60000 0x7fef7b71fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef9e00000 0x7fef9e26fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb5f0000 0x7fefb5fbfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefbd60000 0x7fefbd73fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefbd80000 0x7fefbd94fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefbda0000 0x7fefbdabfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefbdb0000 0x7fefbdc5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc640000 0x7fefc65cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefd260000 0x7fefd28ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd950000 0x7fefd972fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75810000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff980000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 96517 True 1
Fn
Process #840: reg.exe
13 0
»
Information Value
ID #840
File Name c:\windows\system32\reg.exe
Command Line REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe" /f
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0xdb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 754
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
reg.exe.mui 0x00160000 0x00168fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b50000 0x01e1efff Memory Mapped File r False False False -
kernelbase.dll.mui 0x01e20000 0x01edffff Memory Mapped File rw False False False -
user32.dll 0x779f0000 0x77ae9fff Memory Mapped File rwx False False False -
kernel32.dll 0x77af0000 0x77c0efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c10000 0x77db8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
reg.exe 0xff6b0000 0xff705fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7fefdd10000 0x7fefdd7afff Memory Mapped File rwx False False False -
msctf.dll 0x7fefdf30000 0x7fefe038fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefe040000 0x7fefe108fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefe380000 0x7fefe45afff Memory Mapped File rwx False False False -
lpk.dll 0x7feff270000 0x7feff27dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7feff280000 0x7feff2e6fff Memory Mapped File rwx False False False -
imm32.dll 0x7feff2f0000 0x7feff31dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff320000 0x7feff327fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff330000 0x7feff3cefff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff900000 0x7feffa2cfff Memory Mapped File rwx False False False -
sechost.dll 0x7feffa30000 0x7feffa4efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feffa50000 0x7feffac0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffc50000 0x7feffc9cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff30000 0x7fefff30fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 39 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos, data = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FmoAc.exe, size = 96, type = REG_SZ True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0xff6b0000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:46:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 96705 True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image