90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008 (SHA256)
name.doc
Word Document
Created at 2019-02-08 09:18:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "5 minutes" to "20 seconds" to reveal dormant functionality.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
576
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
978
0x
96C
0x
964
0x
95C
0x
950
0x
94C
0x
948
0x
944
0x
940
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
928
0x
908
0x
904
0x
900
0x
8FC
0x
8F8
0x
8F0
0x
98C
0x
A4C
0x
A50
0x
AC8
0x
ACC
0x
BDC
0x
764
0x
0
0x
ACC
0x
964
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00401fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b60000 | 0x01e2efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x02222fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002230000 | 0x02230000 | 0x02231fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002240000 | 0x02240000 | 0x02241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x02252fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0237ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x023d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x025effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x02630fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x02640fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x02650fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x02660fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x02670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x026fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002700000 | 0x02700000 | 0x027defff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x02807fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0287afff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0297ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02980fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02994fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000029a0000 | 0x029a0000 | 0x029a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x029b0000 | 0x029bbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02ac0000 | 0x02b7ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x02c80000 | 0x02c87fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02c90000 | 0x02c9ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002da0000 | 0x02da0000 | 0x02da0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002db0000 | 0x02db0000 | 0x02db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002dc0000 | 0x02dc0000 | 0x02dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002dd0000 | 0x02dd0000 | 0x02dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002de0000 | 0x02de0000 | 0x02de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02df0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002e10000 | 0x02e10000 | 0x02e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02e20000 | 0x02e20fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x02f30000 | 0x02f4ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002f50000 | 0x02f50000 | 0x02f50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002f90000 | 0x02f90000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0309ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031d0000 | 0x031d0000 | 0x032cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x034dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000034e0000 | 0x034e0000 | 0x038dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003990000 | 0x03990000 | 0x03a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b50000 | 0x03b50000 | 0x03bcffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003c10000 | 0x03c10000 | 0x03c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c50000 | 0x03c50000 | 0x03c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x0405ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0417ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041e0000 | 0x041e0000 | 0x042dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x047c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x04fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x0523ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x05371fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05380000 | 0x05caffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005d10000 | 0x05d10000 | 0x05e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e30000 | 0x05e30000 | 0x05f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ff0000 | 0x05ff0000 | 0x0606ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060f0000 | 0x060f0000 | 0x061effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006250000 | 0x06250000 | 0x0634ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000063f0000 | 0x063f0000 | 0x0646ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006470000 | 0x06470000 | 0x0656ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000066c0000 | 0x066c0000 | 0x067bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006830000 | 0x06830000 | 0x0692ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006930000 | 0x06930000 | 0x0792ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000079e0000 | 0x079e0000 | 0x07adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007ae0000 | 0x07ae0000 | 0x082dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008430000 | 0x08430000 | 0x084affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000084b0000 | 0x084b0000 | 0x0852ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008530000 | 0x08530000 | 0x0892ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000374f0000 | 0x374f0000 | 0x374fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037620000 | 0x37620000 | 0x3762ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x74b40000 | 0x74b72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x777b0000 | 0x777b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f020000 | 0x13f1fbfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febd6d0000 | 0x7febd6d0000 | 0x7febd6dffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febefc0000 | 0x7febefc0000 | 0x7febefcffff | Private Memory | rwx |
|
|
|
- |
| adal.dll | 0x7fee52d0000 | 0x7fee53e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee53f0000 | 0x7fee5563fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5570000 | 0x7fee580afff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5930000 | 0x7fee5aadfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5ab0000 | 0x7fee5c7ffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee5c80000 | 0x7feea066fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea070000 | 0x7feead64fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feead70000 | 0x7feeb1acfff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb1b0000 | 0x7feecbdbfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feecbe0000 | 0x7feed886fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed890000 | 0x7feee35efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feee360000 | 0x7feeea43fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feeea50000 | 0x7feeeef2fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feeef00000 | 0x7feefe84fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7feefe90000 | 0x7fef2668fff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fef26d0000 | 0x7fef286cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fef29a0000 | 0x7fef2a38fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2a40000 | 0x7fef2aaefff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fef2ab0000 | 0x7fef2b6ffff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fef2b70000 | 0x7fef2c51fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef2c60000 | 0x7fef2ceafff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef2cf0000 | 0x7fef2db5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef2f90000 | 0x7fef302bfff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef3070000 | 0x7fef30aafff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x7fef3280000 | 0x7fef3298fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x7fef46b0000 | 0x7fef46cbfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x7fef46d0000 | 0x7fef4731fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7fef4de0000 | 0x7fef4e50fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef5270000 | 0x7fef527bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7fef53d0000 | 0x7fef53d7fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7fef61c0000 | 0x7fef6223fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 611 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | 111.59 KB |
MD5:
6c636cfb3b7d2c5dd95b42290fb67db8
SHA1: f65cd957fe9ba292e08713ec8b49f10bb3c8730c SHA256: 3cdcb8b1f297a84822877e19d9b853870608b338bdc43b1c89aafc8c6f35eb6f SSDeep: 1536:lh9T4nZoTC71VPrzfuHtOHtTm/F2ZSeBY1a3uH/PgOajUg2sbqJai3TS2NCu16c1:lhenZoT81N7uodNGH9ajKsWL3TS2NfB1 |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | 57.67 KB |
MD5:
45afe0ded26cf630807bfc207ce64d48
SHA1: 536049d1760297fd828317396e13344b8c229b10 SHA256: 8d52fc3716d8e1d78cfebfcbd9697fe88d9ffb7e0992f2baa3d69ef88fee7e96 SSDeep: 1536:lh9T4nZoTC71VPrzfuHtOHtTm/F2ZSeBY1a3us:lhenZoT81N7uodNGs |
|
|
Host Behavior
COM (2)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | MSXML2.DOMDocument | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
2 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | file_attributes = _O_RDWR, _O_CREAT, _O_EXCL |
|
2 | |
| Write | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | size = 59052 |
|
1 | |
| Write | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | size = 55213 |
|
1 |
Registry (69)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 67, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 83 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | wscript.exe "c:\users\aetadzjz\appdata\roaming\microsoft\word\startup\..\..\Windows\Cookies\wordTemplate.vbs | os_pid = 0xa54, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (175)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc030000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee31c0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef8c40000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feff380000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee39a0000 |
|
18 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13f020000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9a00000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x774e0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff380000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7fefee70000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9a83b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9a7a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9a81618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9a7f088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee32c72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee32360b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee31e1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3235f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee31df000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee31ce860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee31c3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee31d2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee31c7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee31c7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee31c8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee3303260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee3303280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee31d1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3236370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3224590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee31c55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee31d0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee31c3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee31c6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee31c3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee31ce6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee31cdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee31c7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee31cfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee31c8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee32c2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee31d42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee31c3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee31cab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee31ca7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee31c1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee31ce830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee31c13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee31c6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee31c1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee31c3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee32c71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee3296d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee33098e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee3309830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff381320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff38f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff3dcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff411760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff4120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff3ac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff3decd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff3de840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff3ef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff3e4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff3e9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff3b6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff38a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff3ef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774f94f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x774f5f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x774f2b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x774eab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x774f5c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x774ea730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x774ea5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff382270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff40dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff385c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff386330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff3a66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff384710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff3848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff3bb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff3bb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff3c2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff3a58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff3a5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff3baf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff3da0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff412160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff3a5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff3a5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff3a5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff3a5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff3860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff383e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff3d9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff409b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff409aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff409990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff409890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff409770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff3eb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff3eb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff4048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff409470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff4096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff402fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff409cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff408ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff409c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff408e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff403690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff4092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff402e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff403f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff4091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff3e7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff3e7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff3e7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff3e7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff409600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff3e76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff4083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff3b3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff3bd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff3bd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff39caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff3a8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee31cfcd0 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x0 |
|
1 | |
| Get Address | Unknown module name | function = 570, address_out = 0x7fee3d06d10 |
|
3 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee3aa4ee0 |
|
3 | |
| Get Address | Unknown module name | function = 631, address_out = 0x7fee3b0d690 |
|
3 | |
| Get Address | Unknown module name | function = 581, address_out = 0x7fee3b0a6c8 |
|
3 | |
| Get Address | Unknown module name | function = 537, address_out = 0x7fee3b0ad64 |
|
3 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee3ce24c8 |
|
3 | |
| Get Address | Unknown module name | function = DllDebugObjectRPCHook, address_out = 0x7fefefeafd0 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 1090, y_out = 530 |
|
2 | |
| Get Cursor | x_out = 470, y_out = 293 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:19:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109231 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-08 09:19:46 (Local Time) |
|
3 | |
| Get Time | type = Local Time, time = 2019-02-08 09:19:47 (Local Time) |
|
10 | |
| Get Time | type = Ticks, time = 250210 |
|
9 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: wscript.exe
118
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\wscript.exe |
| Command Line | wscript.exe "c:\users\aetadzjz\appdata\roaming\microsoft\word\startup\..\..\Windows\Cookies\wordTemplate.vbs |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0x8ec (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A6C
0x
B74
0x
BE8
0x
BEC
0x
854
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x000e0000 | 0x000e5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x0012bfff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| scrrun.dll | 0x00120000 | 0x0012ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x0014bfff | Pagefile Backed Memory | r |
|
|
|
- |
| wshom.ocx | 0x00130000 | 0x00143fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00350000 | 0x00394fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00361fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x00370000 | 0x00370fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00381fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00391fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x003a0000 | 0x003a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x00640000 | 0x0065ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x01f60000 | 0x01fdcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x0214ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x0203efff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02040000 | 0x0206ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x02070000 | 0x02073fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002090000 | 0x02090000 | 0x02090fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0214ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x0224ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02150000 | 0x021b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02350000 | 0x0261efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029c0000 | 0x029c0000 | 0x039bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000003a70000 | 0x03a70000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003b70000 | 0x03b70000 | 0x03f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003f70000 | 0x03f70000 | 0x0416ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004230000 | 0x04230000 | 0x0432ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0444ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0455ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0473ffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wscript.exe | 0xff230000 | 0xff25bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fee2ea0000 | 0x7fee2f3ffff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x7fee2f40000 | 0x7fee2fd9fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7fef2960000 | 0x7fef2993fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7fef3040000 | 0x7fef3067fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7fef3840000 | 0x7fef3893fff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x7fef38a0000 | 0x7fef4456fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7fef89c0000 | 0x7fef89fbfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefa5e0000 | 0x7fefa636fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7fefad90000 | 0x7fefada7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7fefae00000 | 0x7fefae1cfff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7fefae60000 | 0x7fefae6afff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefba20000 | 0x7fefba37fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefbeb0000 | 0x7fefbfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc030000 | 0x7fefc223fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7fefc8b0000 | 0x7fefc8cafff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7fefca60000 | 0x7fefcaabfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fefcf90000 | 0x7fefcfb1fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7fefcfc0000 | 0x7fefd00dfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefd430000 | 0x7fefd4c0fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefd680000 | 0x7fefd6b9fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7fefdbb0000 | 0x7fefdcd9fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7fefec10000 | 0x7fefed87fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7feff080000 | 0x7feff2d8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff650000 | 0x7feff826fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7feff850000 | 0x7feff8e6fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (11)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
3 | |
| Create | WScript.Shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
5 |
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | type = size |
|
1 | |
| Get Info | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | type = size |
|
3 | |
| Read | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | size = 114265, size_out = 114265 |
|
3 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.vbs | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.vbs | data = VBSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | data = VBScript, type = REG_SZ |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | expand.exe | show_window = SW_HIDE |
|
1 | |
| Create | wmic | show_window = SW_HIDE |
|
1 |
Module (19)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x773c0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fefee70000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7fefed90000 |
|
1 | |
| Get Handle | c:\windows\system32\wscript.exe | base_address = 0xff230000 |
|
3 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefee70000 |
|
1 | |
| Get Filename | c:\windows\system32\wscript.exe | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\system32\wscript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\system32\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x773dc4a0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefee97490 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7fefedae470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7fefedaf9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7fefedaf660 |
|
1 | |
| Get Address | c:\windows\system32\wscript.exe | function = 1, address_out = 0xff23d7f8 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefee8a4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefeea2e18 |
|
1 | |
| Create Mapping | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | filename = c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs, protection = PAGE_READONLY, maximum_size = 114265 |
|
1 | |
| Map | c:\users\aetadzjz\appdata\roaming\microsoft\Windows\Cookies\wordTemplate.vbs | process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 6773392 |
|
1 |
System (30)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
3 | |
| Sleep | duration = 986 milliseconds (0.986 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:19:52 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 118155 |
|
1 | |
| Get Time | type = Ticks, time = 118732 |
|
1 | |
| Get Time | type = Ticks, time = 118903 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:19:53 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 119449 |
|
1 | |
| Get Time | type = Ticks, time = 119512 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:19:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 121041 |
|
1 | |
| Get Time | type = Ticks, time = 121056 |
|
1 | |
| Get Time | type = Ticks, time = 122070 |
|
1 | |
| Get Time | type = Ticks, time = 123069 |
|
1 | |
| Get Time | type = Ticks, time = 166219 |
|
1 | |
| Get Time | type = Ticks, time = 167233 |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory, result_out = Lð$ |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Process #3: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: RPC Server |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:49 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
788
0x
554
0x
568
0x
420
0x
7E4
0x
7DC
0x
7D8
0x
784
0x
75C
0x
744
0x
738
0x
728
0x
724
0x
71C
0x
700
0x
6FC
0x
6F4
0x
6A8
0x
4C4
0x
488
0x
47C
0x
478
0x
458
0x
444
0x
30C
0x
294
0x
1E0
0x
3F8
0x
3EC
0x
3E0
0x
388
0x
384
0x
380
0x
37C
0x
374
0x
36C
0x
A70
0x
A74
0x
A78
0x
A7C
0x
A80
0x
A84
0x
A88
0x
A8C
0x
A90
0x
A94
0x
A98
0x
A9C
0x
AA0
0x
AA4
0x
AA8
0x
AAC
0x
AB0
0x
AB4
0x
AB8
0x
B10
0x
B1C
0x
B54
0x
B84
0x
B88
0x
BBC
0x
BC0
0x
BC4
0x
BC8
0x
BCC
0x
BD0
0x
BD4
0x
BB8
0x
85C
0x
858
0x
630
0x
6C0
0x
554
0x
854
0x
A60
0x
7D4
0x
A64
0x
BEC
0x
A54
0x
7DC
0x
B88
0x
784
0x
7D8
0x
598
0x
114
0x
128
0x
738
0x
484
0x
320
0x
BB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00517fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x0076ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00bb0000 | 0x00bb3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00bd0000 | 0x00bfffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00c00000 | 0x00c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01080000 | 0x0134efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x013dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x0146ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015f0000 | 0x015f0000 | 0x0166ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001680000 | 0x01680000 | 0x016fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x017cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0187ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018b0000 | 0x018b0000 | 0x0192ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001980000 | 0x01980000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a20000 | 0x01a20000 | 0x01a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01cb0000 | 0x01d15fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x021c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002620000 | 0x02620000 | 0x0271ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x031bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x0323ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x0335ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035d0000 | 0x035d0000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036b0000 | 0x036b0000 | 0x0372ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003750000 | 0x03750000 | 0x037cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003940000 | 0x03940000 | 0x03b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d80000 | 0x03d80000 | 0x03dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e60000 | 0x03e60000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f60000 | 0x03f60000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x040effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffaa0000 | 0xffaaafff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef5270000 | 0x7fef527bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7fef53d0000 | 0x7fef53d7fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef53e0000 | 0x7fef5421fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef5430000 | 0x7fef5469fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef5470000 | 0x7fef5489fff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef5490000 | 0x7fef549efff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef54a0000 | 0x7fef550afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5510000 | 0x7fef5528fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5530000 | 0x7fef557ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef55b0000 | 0x7fef562dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5630000 | 0x7fef5645fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5650000 | 0x7fef570bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5710000 | 0x7fef5782fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5790000 | 0x7fef57b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef57c0000 | 0x7fef57d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef57e0000 | 0x7fef5863fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef5870000 | 0x7fef5894fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef58a0000 | 0x7fef59cefff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef59d0000 | 0x7fef5a16fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef5a20000 | 0x7fef5a61fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef5a70000 | 0x7fef5b01fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| wmisvc.dll | 0x7fef5ea0000 | 0x7fef5edffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef60c0000 | 0x7fef60c8fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef65d0000 | 0x7fef65e6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef65f0000 | 0x7fef679ffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef67d0000 | 0x7fef6843fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8830000 | 0x7fef891dfff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef8df0000 | 0x7fef8e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| schedsvc.dll | 0x7fefa820000 | 0x7fefa931fff | Memory Mapped File | rwx |
|
|
|
- |
| wiarpc.dll | 0x7fefac60000 | 0x7fefac6efff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7fefac70000 | 0x7fefac78fff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7fefac80000 | 0x7fefac88fff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7fefac90000 | 0x7feface5fff | Memory Mapped File | rwx |
|
|
|
- |
| shsvcs.dll | 0x7fefacf0000 | 0x7fefad4dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fefad50000 | 0x7fefad67fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7fefad70000 | 0x7fefad80fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fefae80000 | 0x7fefaed2fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb000000 | 0x7fefb026fff | Memory Mapped File | rwx |
|
|
|
- |
| sens.dll | 0x7fefb030000 | 0x7fefb043fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7fefb060000 | 0x7fefb0c6fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb0d0000 | 0x7fefb0dafff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7fefb0e0000 | 0x7fefb0ebfff | Memory Mapped File | rwx |
|
|
|
- |
| themeservice.dll | 0x7fefb0f0000 | 0x7fefb0fffff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb100000 | 0x7fefb118fff | Memory Mapped File | rwx |
|
|
|
- |
| profsvc.dll | 0x7fefb120000 | 0x7fefb156fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7fefb1a0000 | 0x7fefb1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| gpsvc.dll | 0x7fefb1c0000 | 0x7fefb281fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fefb5b0000 | 0x7fefb5c0fff | Memory Mapped File | rwx |
|
|
|
- |
| srvsvc.dll | 0x7fefb5d0000 | 0x7fefb60cfff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fefb610000 | 0x7fefb6f1fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 239 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #4: expand.exe
16
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\expand.exe |
| Command Line | "C:\Windows\System32\expand.exe" C:\Users\aETAdzjz\AppData\Local\Temp\LOJkdxjDhQANoxu -F:* C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0xa54 (c:\windows\system32\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF4
0x
82C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| expand.exe.mui | 0x00070000 | 0x00071fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x01b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b20000 | 0x01b20000 | 0x01cbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01b20000 | 0x01deefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01fcffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| expand.exe | 0xff760000 | 0xff774fff | Memory Mapped File | rwx |
|
|
|
- |
| dpx.dll | 0x7fee10d0000 | 0x7fee1134fff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7fee1530000 | 0x7fee1654fff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef59d0000 | 0x7fef5a16fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7fef86c0000 | 0x7fef86dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\users\aetadzjz\appdata\local\temp\lojkdxjdhqanoxu | file_attributes = _O_SEQUENTIAL |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\LOJkdxjDhQANoxu | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe | type = file_attributes |
|
5 | |
| Read | c:\users\aetadzjz\appdata\local\temp\lojkdxjdhqanoxu | size = 36 |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Expand.exe | base_address = 0xff760000 |
|
1 | |
| Load | dpx.dll | base_address = 0x7fee10d0000 |
|
1 | |
| Get Handle | c:\windows\system32\expand.exe | base_address = 0xff760000 |
|
1 | |
| Get Address | c:\windows\system32\dpx.dll | function = DpxNewJob, address_out = 0x7fee10d9ca8 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-08 09:20:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 165361 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Process #5: wmic.exe
22
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\wbem\wmic.exe |
| Command Line | "C:\Windows\System32\wbem\WMIC.exe" process call create "schtasks.exe /Create /Sc MINUTE /MO 2 /TN \"\Microsoft Driver Management Service\" /TR \"C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0xa54 (c:\windows\system32\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
66C
0x
870
0x
86C
0x
868
0x
864
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wmic.exe.mui | 0x000e0000 | 0x000effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml3r.dll | 0x00130000 | 0x00130fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00160000 | 0x00160fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x002f0000 | 0x0036cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00311fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00320000 | 0x0032bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00330000 | 0x00337fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x01c60000 | 0x01c6ffff | Memory Mapped File | rw |
|
|
|
- |
| rsaenh.dll | 0x01c70000 | 0x01cb4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c93fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c71fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01d60000 | 0x0202efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002150000 | 0x02150000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02260000 | 0x0231ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002400000 | 0x02400000 | 0x024defff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x0276ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02f4ffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmic.exe | 0xff050000 | 0xff0dcfff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee1a10000 | 0x7fee1a5bfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml3.dll | 0x7fee2fe0000 | 0x7fee31b3fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb000000 | 0x7fefb026fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fefb610000 | 0x7fefb6f1fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fefb780000 | 0x7fefb793fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fefb810000 | 0x7fefb836fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefb880000 | 0x7fefb890fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefb8a0000 | 0x7fefb8aefff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc030000 | 0x7fefc223fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7fefcc40000 | 0x7fefcc9afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefd3c0000 | 0x7fefd3cafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd510000 | 0x7fefd523fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefd900000 | 0x7fefd94cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7fefdbb0000 | 0x7fefdcd9fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefde40000 | 0x7fefde47fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7fefec10000 | 0x7fefed87fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7feff080000 | 0x7feff2d8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (5)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\YKYD69Q\ROOT\CIMV2 |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | schtasks.exe /Create /Sc MINUTE /MO 2 /TN "\Microsoft Driver Management Service" /TR "C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe | - |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\kernel32.dll | base_address = 0x773c0000 |
|
1 | |
| Get Handle | c:\windows\system32\wbem\wmic.exe | base_address = 0xff050000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x773d6d40 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:20:42 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 168137 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-08 09:20:42 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Process #6: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: RPC Server |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:56 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x440 |
| Parent PID | 0x254 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3BC
0x
584
0x
8C4
0x
8CC
0x
8D4
0x
8C8
0x
8B8
0x
8B4
0x
A5C
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0080ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b80000 | 0x00e4efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x01242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x013dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x014affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001550000 | 0x01550000 | 0x015cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001640000 | 0x01640000 | 0x016bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001710000 | 0x01710000 | 0x0178ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001790000 | 0x01790000 | 0x0180ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001810000 | 0x01810000 | 0x0190ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001910000 | 0x01910000 | 0x01c52fff | Pagefile Backed Memory | r |
|
|
|
- |
| security.dll | 0x752b0000 | 0x752b2fff | Memory Mapped File | rwx |
|
|
|
- |
| wmi.dll | 0x752f0000 | 0x752f2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmiprvse.exe | 0xff0b0000 | 0xff10efff | Memory Mapped File | rwx |
|
|
|
- |
| cimwin32.dll | 0x7fee0c30000 | 0x7fee0e29fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee1a10000 | 0x7fee1a5bfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5630000 | 0x7fef5645fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5790000 | 0x7fef57b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| wmipcima.dll | 0x7fef8bf0000 | 0x7fef8c1bfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7fef8c20000 | 0x7fef8c31fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8e70000 | 0x7fef8e7efff | Memory Mapped File | rwx |
|
|
|
- |
| schedcli.dll | 0x7fefae20000 | 0x7fefae29fff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x7fefae30000 | 0x7fefae37fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7fefb0e0000 | 0x7fefb0ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fefb610000 | 0x7fefb6f1fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7fefb700000 | 0x7fefb713fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7fefb720000 | 0x7fefb734fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7fefb740000 | 0x7fefb74bfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7fefb750000 | 0x7fefb765fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fefb780000 | 0x7fefb793fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fefb810000 | 0x7fefb836fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefb880000 | 0x7fefb890fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefb8a0000 | 0x7fefb8aefff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x7fefca20000 | 0x7fefca29fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7fefcbb0000 | 0x7fefcc06fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7fefcc10000 | 0x7fefcc3ffff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd320000 | 0x7fefd342fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefd3c0000 | 0x7fefd3cafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7fefd4d0000 | 0x7fefd50cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd510000 | 0x7fefd523fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefd900000 | 0x7fefd94cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefde40000 | 0x7fefde47fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
Process #7: schtasks.exe
21
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | schtasks.exe /Create /Sc MINUTE /MO 2 /TN "\Microsoft Driver Management Service" /TR "C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c0 |
| Parent PID | 0x440 (c:\windows\system32\wbem\wmiprvse.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
704
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x000e0000 | 0x000f1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x01b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b20000 | 0x01deefff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x01df0000 | 0x01e6cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001df0000 | 0x01df0000 | 0x01ecefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0221ffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| schtasks.exe | 0xff840000 | 0xff887fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7fefb290000 | 0x7fefb3b6fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefb9e0000 | 0x7fefba14fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, password = 192 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-02-08T09:20:00 |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x7fefc6f0000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7fefed90000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0xff840000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x7fefc6f15fc |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x7fefc6f1614 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x7fefc6f15e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7fefeda1fd0 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-08 09:20:44 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 170165 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-08 09:20:44 (Local Time) |
|
3 |
Process #10: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {9DBDD5F0-896F-41C2-9C9A-0D01B1F9C6E8} S-1-5-21-2345716840-1148442690-1481144037-1000:YKYD69Q\aETAdzjz:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:35, Reason: Child Process |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:30 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72c |
| Parent PID | 0x368 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
358
0x
8D0
0x
8BC
0x
900
0x
B0
0x
1C4
0x
210
0x
A24
0x
A1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x01b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b20000 | 0x01b20000 | 0x01f12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fc0000 | 0x01fc0000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x020dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0232ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02330000 | 0x025fefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002600000 | 0x02600000 | 0x026defff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x027affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| taskeng.exe | 0xff4d0000 | 0xff543fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef60c0000 | 0x7fef60c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fefb9e0000 | 0x7fefba14fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefba20000 | 0x7fefba37fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7fefd050000 | 0x7fefd0bcfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd510000 | 0x7fefd523fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #16: isatsrv.exe
44
16
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\local\temp\isatsrv.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e4 |
| Parent PID | 0x72c (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC0
0x
BCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x000d0000 | 0x000edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x005b0000 | 0x0087efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| isatsrv.exe | 0x00ce0000 | 0x00f2efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x10930fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x0232ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0249ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x025fffff | Private Memory | rw |
|
|
|
- |
| wow64win.dll | 0x74c00000 | 0x74c5bfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x74da0000 | 0x74db1fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74dc0000 | 0x74dc4fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74dd0000 | 0x74e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74e10000 | 0x74e16fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x75240000 | 0x75247fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75250000 | 0x7528efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x75290000 | 0x752abfff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x752d0000 | 0x752d2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = ProxyServer, data = 0, type = REG_NONE |
|
1 |
Module (25)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x752d0000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76540000 |
|
2 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x777c0000 |
|
1 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\aetadzjz\appdata\local\temp\isatsrv.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\iSatSrv.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76554f2b |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76554208 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76551252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x765d47f1 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x777f873a |
|
1 |
System (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
5 | |
| Sleep | duration = 120000 milliseconds (120.000 seconds) |
|
1 | |
| Sleep | duration = 180000 milliseconds (180.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2019-02-08 09:22:00 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Network Behavior
TCP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 288 bytes |
| Total Data Received | 80 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 192.241.217.57:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x70 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 192.241.217.57 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49183 |
| Data Sent | 208 bytes |
| Data Received | 48 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 192.241.217.57, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 16 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 16 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 128, size_out = 128 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 16 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0x70 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 192.241.217.57 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49183 |
| Data Sent | 80 bytes |
| Data Received | 32 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 192.241.217.57, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 16 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 16 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
