c283c47ed7ecb84bdedf5a856374b4a60d48e0d42c0c57d4ff61a16d71f3528b (SHA256)
Mining.exe
Windows Exe (x86-32)
Created at 2019-01-26 02:20:00
Notifications (1/1)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: mining.exe
232
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\mining.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf1c |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F20
0x
F3C
0x
F48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e80000 | 0x00f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01013fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| mining.exe | 0x01140000 | 0x016d6fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000016e0000 | 0x016e0000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ae0000 | 0x01ae0000 | 0x01b97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x027affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027b0000 | 0x027b0000 | 0x02937fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x03ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03f57fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x0407ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0454efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x04546fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04080000 | 0x043b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x0488bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x0488efff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74070000 | 0x74097fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x740a0000 | 0x740c0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x740d0000 | 0x740d7fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x740e0000 | 0x74102fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74110000 | 0x74128fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7415ffff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74160000 | 0x74183fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74190000 | 0x743b3fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x743c0000 | 0x743d6fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743e0000 | 0x745e8fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745f0000 | 0x745f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74600000 | 0x74607fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x74d90000 | 0x74d95fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000ff190000 | 0xff190000 | 0xff28ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000ff290000 | 0xff290000 | 0xff2b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000ff2b5000 | 0xff2b5000 | 0xff2b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2b8000 | 0xff2b8000 | 0xff2bafff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2bb000 | 0xff2bb000 | 0xff2bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2be000 | 0xff2be000 | 0xff2befff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2bf000 | 0xff2bf000 | 0xff2bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 4.69 MB |
MD5:
5e137a5cf5138f25f5b3d74e7e694eac
SHA1: 243cac505e430609afd4807534a0ec27792c0796 SHA256: 2ae5e88dc24e02d2e4bb65bdf5be48b5430baa545188af8a6498d14bc3cf4191 SSDeep: 98304:ETVPCviLZiYvlp5pamq//BsIhwOuFL0hyP:IVKviL4Ytpam4ypOG0h |
|
|
| Zero_Two.tmp | 103.00 KB |
MD5:
dc94ab73eadb420e362697dfdea306a7
SHA1: fdcf1d67eb22b0fac6cb598d0a138c63b79fb0bf SHA256: ffeeb844993f2fee324a19467d8ed8a36d82084002542674b1f3ee111ca0e643 SSDeep: 3072:SzEWN5IyOrM2MrIfjblaX/g7q0LyejLl77W8rOirJTqX2wA2j8/VE:SxIyTIfj5aW |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | 50.11 KB |
MD5:
eb5b9cf9564f4d506c3a59fbb5efdf10
SHA1: eca33a3e475db1e9f62b99503fa2e7bf8ffbbe8a SHA256: 321c4580be28e5c71a40f0c9e3e005410fa6cdff335a53b16ef13470b3ea8278 SSDeep: 768:qy/MVdhrNfHPgdTjXm2X0Bwn6yfCHBW+wQ0zS7JuwvYywBT+ugKPNlMwJM/KYVHK:2bbP6j22X0SnfChJw1q+B6ugS2KYI |
|
|
Host Behavior
File (114)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | Zero_Two.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | Zero_Two.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | type = file_type |
|
1 | |
| Get Info | Zero_Two.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | type = file_type |
|
2 | |
| Get Info | Zero_Two.tmp | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Copy | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp | source_filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | size = 61440, size_out = 47216 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | size = 12288, size_out = 0 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | size = 65536 |
|
75 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | size = 4096 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | size = 1536 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | size = 49152 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | size = 2160 |
|
1 | |
| Write | Zero_Two.tmp | size = 65536 |
|
1 | |
| Write | Zero_Two.tmp | size = 36864 |
|
1 | |
| Write | Zero_Two.tmp | size = 3072 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | - |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe /c Zero_Two.tmp | os_pid = 0xf84, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe /c C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp | os_pid = 0xf8c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (60)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x74f40000 |
|
9 | |
| Load | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | base_address = 0x1140000 |
|
4 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\mining.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\mining.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, size = 32767 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x74f5ebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x74f5eb90 |
|
4 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x74f5ebb0 |
|
3 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (42)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
2 | |
| Get Time | type = System Time, time = 2019-01-26 02:21:37 (UTC) |
|
13 | |
| Get Time | type = System Time, time = 2019-01-26 02:21:38 (UTC) |
|
11 | |
| Get Time | type = System Time, time = 2019-01-26 02:21:39 (UTC) |
|
14 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
2 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\ciihmnxmn6ps\desktop\mining.exe | - |
|
1 |
Process #2: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c Zero_Two.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf84 |
| Parent PID | 0xf1c (c:\users\ciihmnxmn6ps\desktop\mining.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F88
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006c0000 | 0x009f6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00f80000 | 0x00fcffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e760000 | 0x7eaeffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec13000 | 0x7ec13000 | 0x7ec13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec17000 | 0x7ec17000 | 0x7ec17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1a000 | 0x7ec1a000 | 0x7ec1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1d000 | 0x7ec1d000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | Zero_Two.tmp | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp | os_pid = 0xc10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xf80000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #3: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0xf1c (c:\users\ciihmnxmn6ps\desktop\mining.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F90
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00f80000 | 0x00fcffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04fd0000 | 0x05306fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7f480000 | 0x7f80ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007f810000 | 0x7f810000 | 0x7f90ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f910000 | 0x7f910000 | 0x7f932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f938000 | 0x7f938000 | 0x7f93afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93b000 | 0x7f93b000 | 0x7f93dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93e000 | 0x7f93e000 | 0x7f93efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93f000 | 0x7f93f000 | 0x7f93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp | os_pid = 0xa38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xf80000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #6: zero_two.tmp
541
20
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\ciihmnxmn6ps\desktop\zero_two.tmp |
| Command Line | Zero_Two.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc10 |
| Parent PID | 0xf84 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C28
0x
C30
0x
D44
0x
D24
0x
B6C
0x
518
0x
CD4
0x
6B4
0x
DF8
0x
5BC
0x
DD8
0x
DD4
0x
278
0x
68C
0x
B3C
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00340fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004d0000 | 0x0058dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00660fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00b87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| zero_two.tmp | 0x00dc0000 | 0x00dddfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x021dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x022dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022e0000 | 0x022e0000 | 0x0231ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0232ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002330000 | 0x02330000 | 0x02330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0234ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0444ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04450000 | 0x04786fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x048cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x0493ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0494ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x0594ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x05a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a80000 | 0x05a80000 | 0x06a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a80000 | 0x06a80000 | 0x06ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cd0000 | 0x06cd0000 | 0x07ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007cd0000 | 0x07cd0000 | 0x08ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008cd0000 | 0x08cd0000 | 0x09ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009cd0000 | 0x09cd0000 | 0x09dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009dd0000 | 0x09dd0000 | 0x09ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009ed0000 | 0x09ed0000 | 0x09fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009fd0000 | 0x09fd0000 | 0x0a00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a010000 | 0x0a010000 | 0x0a10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a110000 | 0x0a110000 | 0x0a14ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a150000 | 0x0a150000 | 0x0a24ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000000a250000 | 0x0a250000 | 0x0a250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000000a260000 | 0x0a260000 | 0x0a29ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x0a2a0000 | 0x0a2a3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x0a2b0000 | 0x0a2f2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x0a300000 | 0x0a303fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x0a310000 | 0x0a320fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x0a330000 | 0x0a333fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x0a340000 | 0x0a352fff | Memory Mapped File | r |
|
|
|
- |
| system.windows.forms.dll | 0x0a370000 | 0x0a807fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000000a810000 | 0x0a810000 | 0x0a90ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x0a910000 | 0x0a99afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000000a9a0000 | 0x0a9a0000 | 0x0a9dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a9e0000 | 0x0a9e0000 | 0x0aadffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x71bb0000 | 0x71db6fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x71dc0000 | 0x71f01fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74490000 | 0x744befff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x744c0000 | 0x744dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x744e0000 | 0x744f2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74500000 | 0x74527fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f228000 | 0x7f228000 | 0x7f22afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22b000 | 0x7f22b000 | 0x7f22dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22e000 | 0x7f22e000 | 0x7f230fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f231000 | 0x7f231000 | 0x7f233fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f234000 | 0x7f234000 | 0x7f236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f237000 | 0x7f237000 | 0x7f239fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23a000 | 0x7f23a000 | 0x7f23cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f365000 | 0x7f365000 | 0x7f365fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f366000 | 0x7f366000 | 0x7f368fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f369000 | 0x7f369000 | 0x7f36bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 80 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| Zero_Two.tmp | 103.00 KB |
MD5:
dc94ab73eadb420e362697dfdea306a7
SHA1: fdcf1d67eb22b0fac6cb598d0a138c63b79fb0bf SHA256: ffeeb844993f2fee324a19467d8ed8a36d82084002542674b1f3ee111ca0e643 SSDeep: 3072:SzEWN5IyOrM2MrIfjblaX/g7q0LyejLl77W8rOirJTqX2wA2j8/VE:SxIyTIfj5aW |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Host Behavior
File (22)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\ProgramData\WinSys.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp.config | type = file_attributes |
|
2 | |
| Copy | C:\ProgramData\WinSys.exe | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp |
|
1 | |
| Copy | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 4096 |
|
8 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 3215 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | size = 4096, size_out = 0 |
|
1 |
Registry (35)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework | value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2007, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2008, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | value_name = HWRPortReuseOnSocketBind, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 | value_name = SchUseStrongCrypto, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | schtasks.exe | show_window = SW_HIDE |
|
2 |
Module (17)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0xae50001 |
|
3 | |
| Load | comctl32.dll | base_address = 0x70470000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Handle | comctl32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | comctl32.dll | base_address = 0x70470000 |
|
3 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x76c70000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\zero_two.tmp | base_address = 0xdc0000 |
|
5 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x7772caa0 |
|
1 |
Window (10)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.4.0.0.0.bf7771.0 | class_name = .NET-BroadcastEventWindow.4.0.0.0.bf7771.0, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 2004011680 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 76809886 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 2004011680 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 76809926 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551608, new_long = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551600, new_long = 47120384 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551596, new_long = 327680 |
|
1 |
System (416)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
412 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.Connection_Disabled |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.Connection_MinCount |
|
1 | |
| Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
2 | |
| Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
2 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = iplogger.org, address_out = 88.99.66.31 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 407 bytes |
| Total Data Received | 6.70 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 88.99.66.31:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x65c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 88.99.66.31 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49429 |
| Data Sent | 407 bytes |
| Data Received | 6.70 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 88.99.66.31, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 124, size_out = 124 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 93, size_out = 93 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5725, size_out = 5725 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 149, size_out = 149 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 624, size_out = 624 |
|
1 |
Process #7: 517847183.tmp
624
7
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\ciihmnxmn6ps\appdata\roaming\517847183.tmp |
| Command Line | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0xf8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
0x
924
0x
CF0
0x
CF8
0x
DBC
0x
DE0
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0027dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00372fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 517847183.tmp | 0x00400000 | 0x00eb8fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x00f80000 | 0x00f82fff | Memory Mapped File | r |
|
|
|
- |
| wshqos.dll | 0x00f80000 | 0x00f87fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0118ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01317fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x014a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x028affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x029c0000 | 0x02cf6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x0336efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x12efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000012f00000 | 0x12f00000 | 0x332fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000012f00000 | 0x12f00000 | 0x12ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000013000000 | 0x13000000 | 0x32ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033000000 | 0x33000000 | 0x330fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033100000 | 0x33100000 | 0x331fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033200000 | 0x33200000 | 0x3323ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033240000 | 0x33240000 | 0x3333ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033340000 | 0x33340000 | 0x3337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033380000 | 0x33380000 | 0x3347ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll | 0x33480000 | 0x334cdfff | Memory Mapped File | r |
|
|
|
- |
| wshqos.dll.mui | 0x33480000 | 0x33480fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000033480000 | 0x33480000 | 0x334bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000334c0000 | 0x334c0000 | 0x335bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000335c0000 | 0x335c0000 | 0x3366ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033670000 | 0x33670000 | 0x336affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000336b0000 | 0x336b0000 | 0x336effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x72790000 | 0x727d5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x727e0000 | 0x727e7fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x727f0000 | 0x7281ffff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x72820000 | 0x72827fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x72830000 | 0x728b3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x72940000 | 0x7298dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x72990000 | 0x729befff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x729c0000 | 0x729dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x729e0000 | 0x729f2fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x72a00000 | 0x72a07fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73d40000 | 0x73d60fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73d70000 | 0x73d92fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73da0000 | 0x73dc3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74490000 | 0x74521fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x74880000 | 0x749f4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77070000 | 0x7707dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1 | 18.00 KB |
MD5:
b22b1727c127485e970296265351b582
SHA1: c6f71441e5709ae15583c60ab9f839190b08f59f SHA256: c6454fe10eaa9e375ee46ed82a2c851f1adae49061234f48c80135bbd17f0f7f SSDeep: 48:gz+JH3yJUhJCVE9V8FsXhFlNU1V6kxqW:HJH3FC2V8uRFleq |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1 | 68.00 KB |
MD5:
844cec6a8e7c5513034fc125fc54b803
SHA1: f92eb4fb1df0ceb51b862443ae04f48bac51c9d3 SHA256: 8aee391a40e74ff388cf53f5360e1d38793d4573b9f49e21e607ed3b6428b809 SSDeep: 96:VtyNQIoYnMvqyWx7pnqH+w/fVIrECuKdPraBdUDBBVWqwmKT/WTPepeWbtxYMxCc:rlkMvuzzTP6btttlhS+3 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt | 0.92 KB |
MD5:
83af5f4c5f75035b99d0ea54f283743d
SHA1: ff284abdf4d494cb38b98bb29ab7c0eb01a576b2 SHA256: adb6d362bfa54dec0438fd4605f8cc999c4ef5a88d969091032371b3e1c61040 SSDeep: 24:5hgb4FV2EnwDHAXLQQLQQPMw4ORRiv+8bAJpVGkz+b1:SWof2LQQLQQFtRRi8JTGQe |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1 | 13.00 KB |
MD5:
238396aae89ede96ac12f6ebe90f36e4
SHA1: 38b7167e1add52c84f9c160694554b4d5891f9d9 SHA256: c23537b8da96bf92eb88380d6b311bc397ddf02328aefd2c64f08af132cf1882 SSDeep: 96:WanSNDXhnQSMqD679/OJm0qZwO8WIjNgIbFrjunl:WRhXyb3fcBvZOl |
|
|
Host Behavior
File (450)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1 | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_logins.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1 | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1 | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_ccdata.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\l394 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Music | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Pictures | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\My Videos | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins/ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Desktop/ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\ | - |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\Desktop\ | - |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins\ | - |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Chromium\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Uran\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Chromodo\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google (x86)\\Chrome\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Comodo\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\K-Melon\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Nichrome\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | type = size, size_out = 0 |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | type = size, size_out = 0 |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal | type = file_attributes |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal | type = file_attributes |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | type = size, size_out = 0 |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Opera Stable\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Opera Software\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Kometa\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Orbitum\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Amigo\\User\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Torch\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\360Browser\\Browser\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Vivaldi\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Sputnik\\Sputnik\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Maxthon3\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\CocCoc\\Browser\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Comodo\\Dragon\\User Data\\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\Desktop\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\18jnma3B6wuLf95.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\2SdJFUJ3QcigRje1.bmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\2mJtsm60nn2j5QJsI.jpg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\DWBGUTID.bmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\FGITMr.avi | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\HWDisbS1QNhaWpm.gif | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\J-k6n.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\KBf9mkpw7.flv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\7bp3AQu3i4dy1.m4a | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\8j7q3kHOQ.jpg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\KJ11.m4a | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\SNlWtxM6kYgAQev78.swf | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\T5HEfd16HKMZ.avi | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\RFPCBqkh_x.mkv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\KTZ9.gif | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\XvvcPoLwXH0.flv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\r pCdnKEWp6D51EeOX 1.swf | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\rd0rKyb.m4a | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\U80VGJPNM.gif | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\WozKdnD.swf | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Ww-dQfUi.jpg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\gCgINgfUhblgdtEy0U.bmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\gF- u.flv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\hBtwHSisB60-Xgcl.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\hJ-x23vCcYTp8Kc6U.csv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\htSGnnW4JpPCITcKP2.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\jWzINLZVsoiWer2ST.mp3 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\jgZ4.pdf | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\kvAy_.wav | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\l394 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\l394\ANRt9-FGo-n4CEbi.pps | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\l394\IPJ s0JVt.jpg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\l394\Lehz0J.wav | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\CxWh-xBX1wCvo72wky.bmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\YWXL.gif | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\gJjRqPmSBkBkWg.mp4 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\nn8SdT3X3elZEs.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\4fQnrkTzw96p.xls | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\_N7lr 3CQR5J7iZRE LH.bmp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\u_p4zMGHb0kifah6_u.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\vzjDwRP82awwx8-.m4a | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\mc 5AFKDPYEmc3MLPj.gif | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\qKGT5tsYg3Y4-2.ots | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\qqlRDHBXtHhZ.doc | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\tXvmVTqXXNByY05.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\z_3Kra5cmE57PxsVB5.m4a | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\zqsB0mfxVN2YzK.mkv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\0gXXaUFM0-oK8ASWVeB2.odt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\474Aa-gWj7KzBTd.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\4FDCScX 2-THZ.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\AOOPjkYG.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Jw m_Mb8OQ9Wq.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Jxv-rzXyEE19FAyQX M9.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\KwryMsWE5_ey2mlC6PT.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\LqzHI0iYpnfWYJs_8l.pps | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Music | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Pictures | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private\folder.ico | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\desktop.ini | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Videos | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\recentservers.xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\sitemanager.xml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Florincoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\GoldCoin (GLD)\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Infinitecoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ethereum\\keystore | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\seed.seco | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\ElectronCash\\wallets\\default_wallet | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Zcash\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Megacoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\MultiDoge\\multidoge.wallet | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\devcoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\digitalcoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Franko\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Primecoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum\\wallets\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\ethereum wallet\\keystore | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\monero-project\\wallets\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Litecoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Namecoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\mSIGNA_Bitcoin\\wallets\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\exodus.wallet | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\BBQCoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Freicoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ethereum Wallet\\keystore | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Anoncoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Mincoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum\\wallets\\default_wallet | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum-LTC\\wallets\\default_wallet | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\IOCoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\YACoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Armory\\wallets\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\monero-project\\keystore | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Bitcoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ixcoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Bitcoin\\wallets\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\passphrase.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\DashCore\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Terracoin\\wallet.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\-3fAJrCVRX8Z_.pdf | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\2zz6XD.ods | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\M88XZ_9wxNc7qto8l9A.ots | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\YgeNEaLqCMGtQe2U.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\ff4vv.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\7Y2KU.odt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\Fu4M.doc | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\VH h8C1yZasfM.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Vl6bQQ.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WFkwOdvoA7Vk.doc | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\X9PEQy53-SCiln9P3.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\_ujogiH.ots | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\bDORZAiJr.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\cKtMEtjnjEDfMU zbt6j.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\ca9SVssXOq.ppt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\k0tYWAc4dttDx3JlJZkG.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\krFCKYCSAG9moR.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\mopisQ6oP.pptx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\J0tU_uAif-0.csv | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\YaSOjCr.ots | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\eSl6PLPg.ods | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\zWJfCn63h.ots | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\s0_cMgCwVuXzkTaEQg.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\swHXblMQ.xlsx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\Sw_iOiUInGypOnydn.ods | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\fVI5YTPfuh.docx | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\pAJfw48xGeJZG-0b.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\vZDFl6zVO0pP.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\JxlVX0MRaEd hFblBqQd.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\LZS2R4KdG.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\PCTUmYJVI.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\RaI9fNRmP vymY.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\oTa7wOUOPb3nj3.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\MM8.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\NYCSLit_gX_h1xe.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\bdDE.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\cXcMGyPbl.ppt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\j1cn9NvnJH9.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\sNxcAApPrgIsmmQkx.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\wgc9Z7T.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\yVa67kWGu4a5d29.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN\MZ-9QigFKDnFEHDX5Rf.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc\AN-9MFF84r4wx4rFhO4.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\sNwfmXP-WKMx-mH.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\G9cdn4hkzfdlc2XWfx7.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\dZBwx8S4Mnz.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\s1gZwO.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Music | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Pictures | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\My Videos | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt | type = attributes,time,size,volserialno |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | size = 18944, size_out = 18432 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | size = 2048, size_out = 2048 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1 | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | size = 13824, size_out = 13312 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | size = 1024, size_out = 1024 |
|
7 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1 | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | size = 70144, size_out = 69632 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | size = 2048, size_out = 2048 |
|
9 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1 | size = 16, size_out = 16 |
|
5 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt | size = 1452, size_out = 940 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt | size = 512, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip | size = 32768, size_out = 1044 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip | size = 32768, size_out = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1 | size = 18432 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_logins.txt | size = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1 | size = 13312 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt | size = 940 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1 | size = 69632 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_ccdata.txt | size = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents\My Videos | size = 1044 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Wine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Hardware\description\System | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\\Valve\\Steam | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\\Classes\\tdesktop.tg\\shell\\open\\command | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | value_name = DriverDesc, data = 77 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\description\System | value_name = SystemBiosVersion, data = 76 |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\description\System | value_name = VideoBiosVersion, data = 76 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\\Valve\\Steam | value_name = steampath, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\\Classes\\tdesktop.tg\\shell\\open\\command | data = 0, type = REG_NONE |
|
1 |
Module (105)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76c70000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77550000 |
|
1 | |
| Load | NTDLL.dll | base_address = 0x776b0000 |
|
1 | |
| Load | winmm.dll | base_address = 0x73da0000 |
|
3 | |
| Load | NTDLL | base_address = 0x776b0000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x76f20000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x74d30000 |
|
3 | |
| Load | kernel32.dll | base_address = 0x74f40000 |
|
4 | |
| Load | advapi32.dll | base_address = 0x77550000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x776b0000 |
|
1 | |
| Load | Crypt32.dll | base_address = 0x74880000 |
|
1 | |
| Load | Kernel32.dll | base_address = 0x74f40000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x776b0000 |
|
18 | |
| Get Handle | dateinj01.dll | base_address = 0x0 |
|
1 | |
| Get Handle | cmdvrt32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SbieDll.dll | base_address = 0x0 |
|
1 | |
| Get Filename | SbieDll.dll | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\517847183.tmp, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, size = 256 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| Get Address | c:\windows\syswow64\winmm.dll | function = timeGetTime, address_out = 0x73da3a10 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenThread, address_out = 0x77719d70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
9 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x776eda90 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AddDllDirectory, address_out = 0x752be9e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AddVectoredContinueHandler, address_out = 0x77759670 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetQueuedCompletionStatusEx, address_out = 0x74f81320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x747b2530 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtWaitForSingleObject, address_out = 0x77718c00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wine_get_version, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f5a060 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetHandleInformation, address_out = 0x74f65f50 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x74d42420 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelIoEx, address_out = 0x74f5ebd0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileCompletionNotificationModes, address_out = 0x74f64810 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAEnumProtocolsW, address_out = 0x74d45b50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x74f59540 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x74f66150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesExW, address_out = 0x74f66330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x74f66250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandle, address_out = 0x74f66350 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| Get Address | c:\windows\syswow64\crypt32.dll | function = CryptUnprotectData, address_out = 0x748caf50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x74f66290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74f661d0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextW, address_out = 0x77570730 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenRandom, address_out = 0x77570df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = GetAddrInfoW, address_out = 0x74d39d90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = FreeAddrInfoW, address_out = 0x74d34b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASocketW, address_out = 0x74d398a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x74d39560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x74d3e0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x74d39780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x74d3dca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x74d3e030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x74d412c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSARecv, address_out = 0x74d3d6c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASend, address_out = 0x74d3d530 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x74d39ba0 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = FilemonClass |
|
2 | |
| Find | File Monitor - Sysinternals: www.sysinternals.com | - |
|
2 | |
| Find | - | class_name = PROCMON_WINDOW_CLASS |
|
2 | |
| Find | Process Monitor - Sysinternals: www.sysinternals.com | - |
|
2 | |
| Find | - | class_name = RegmonClass |
|
1 | |
| Find | Registry Monitor - Sysinternals: www.sysinternals.com | - |
|
1 | |
| Find | - | class_name = 18467-41 |
|
1 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 50 milliseconds (0.050 seconds) |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-26 13:21:46 (Local Time) |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-26 13:21:53 (Local Time) |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = SYSTEM_MODULE_INFORMATION |
|
9 |
Environment (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = GODEBUG |
|
3 | |
| Get Environment String | name = DEBUG_HTTP2_GOROUTINES |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming |
|
2 | |
| Get Environment String | name = HTTP_PROXY |
|
1 | |
| Get Environment String | name = http_proxy |
|
1 | |
| Get Environment String | name = HTTPS_PROXY |
|
1 | |
| Get Environment String | name = https_proxy |
|
1 | |
| Get Environment String | name = NO_PROXY |
|
1 | |
| Get Environment String | name = no_proxy |
|
1 | |
| Get Environment String | name = REQUEST_METHOD |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = u2884418ra.ha002.t.justns.ru, address_out = 185.22.155.227 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 0 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.22.155.227:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x224 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_IP |
| Remote Address | 185.22.155.227 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49428 |
| Data Sent | 0 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Bind | local_address = 0.0.0.0, local_port = 49428, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Connect | remote_address = 185.22.155.227, remote_port = 80 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 321560628 |
|
1 | |
| Send | flags = NO_FLAG_SET, size_out = 1579 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #8: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn WinRun /tr "C:/ProgramData/WinSys.exe" /sc minute /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde4 |
| Parent PID | 0xc10 (c:\users\ciihmnxmn6ps\desktop\zero_two.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB4
0x
860
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00bbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00c50000 | 0x00c62fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x00f40000 | 0x00f71fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05120000 | 0x05456fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x729e0000 | 0x72a0cfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x73d40000 | 0x73dcbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee84000 | 0x7ee84000 | 0x7ee84fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee85000 | 0x7ee85000 | 0x7ee85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8a000 | 0x7ee8a000 | 0x7ee8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8d000 | 0x7ee8d000 | 0x7ee8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-26T13:22:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xf40000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2019-01-26 13:22:03 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2019-01-26 13:22:04 (Local Time) |
|
1 |
Process #10: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn SystemUpdate /tr "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe" /sc hourly /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xc10 (c:\users\ciihmnxmn6ps\desktop\zero_two.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
55C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00440000 | 0x00452fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00470000 | 0x0052dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00810000 | 0x00b46fff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe | 0x00f40000 | 0x00f71fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x729e0000 | 0x72a0cfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x73d40000 | 0x73dcbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9d0000 | 0x7e9d0000 | 0x7eacffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ead0000 | 0x7ead0000 | 0x7eaf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eaf7000 | 0x7eaf7000 | 0x7eaf7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaf8000 | 0x7eaf8000 | 0x7eafafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eafb000 | 0x7eafb000 | 0x7eafbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eafd000 | 0x7eafd000 | 0x7eafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-26T13:22:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0xf40000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2019-01-26 13:22:03 (Local Time) |
|
3 |
Process #12: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:28 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x324 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
DB8
0x
CFC
0x
DCC
0x
D28
0x
D30
0x
D04
0x
D08
0x
CD8
0x
A94
0x
CC4
0x
AF4
0x
65C
0x
7A0
0x
FB8
0x
F58
0x
F50
0x
F44
0x
E1C
0x
E18
0x
E14
0x
E10
0x
E08
0x
E04
0x
D4C
0x
D48
0x
D3C
0x
87C
0x
6D8
0x
24C
0x
8B4
0x
8B0
0x
894
0x
864
0x
43C
0x
7A8
0x
778
0x
758
0x
750
0x
73C
0x
734
0x
730
0x
72C
0x
700
0x
6FC
0x
64C
0x
634
0x
624
0x
604
0x
600
0x
5F8
0x
5F0
0x
5EC
0x
5E8
0x
5E0
0x
5CC
0x
5C8
0x
5B4
0x
5B0
0x
594
0x
590
0x
574
0x
50C
0x
40C
0x
374
0x
140
0x
18C
0x
14C
0x
FC
0x
F8
0x
F4
0x
3FC
0x
3EC
0x
3E8
0x
3E0
0x
3D0
0x
3CC
0x
3C8
0x
3B8
0x
390
0x
328
0x
248
0x
910
0x
3DC
0x
A68
0x
7FC
0x
A90
0x
AD4
0x
15C
0x
C08
0x
C20
0x
C24
0x
5C0
0x
8CC
0x
DA4
0x
618
0x
4D0
0x
8AC
0x
F34
0x
F7C
0x
F48
0x
F3C
0x
E58
0x
790
0x
C34
0x
41C
0x
CCC
0x
DF4
0x
D20
0x
820
0x
DF0
0x
AE4
0x
D1C
0x
FB0
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b42eea0000 | 0xb42eea0000 | 0xb42eeaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb42eeb0000 | 0xb42eeb0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42eec0000 | 0xb42eec0000 | 0xb42eed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42eee0000 | 0xb42eee0000 | 0xb42ef5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42ef60000 | 0xb42ef60000 | 0xb42ef63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42ef70000 | 0xb42ef70000 | 0xb42ef70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42ef80000 | 0xb42ef80000 | 0xb42ef81fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42ef90000 | 0xb42ef90000 | 0xb42f00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f010000 | 0xb42f010000 | 0xb42f016fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb42f020000 | 0xb42f0ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f0e0000 | 0xb42f0e0000 | 0xb42f0e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f0f0000 | 0xb42f0f0000 | 0xb42f0f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f100000 | 0xb42f100000 | 0xb42f1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f200000 | 0xb42f200000 | 0xb42f2bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2c0000 | 0xb42f2c0000 | 0xb42f2c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f2d0000 | 0xb42f2d0000 | 0xb42f2d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f2e0000 | 0xb42f2e0000 | 0xb42f2e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2f0000 | 0xb42f2f0000 | 0xb42f2f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f300000 | 0xb42f300000 | 0xb42f3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f400000 | 0xb42f400000 | 0xb42f587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f590000 | 0xb42f590000 | 0xb42f710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f720000 | 0xb42f720000 | 0xb42f79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f7a0000 | 0xb42f7a0000 | 0xb42f81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f820000 | 0xb42f820000 | 0xb42f820fff | Pagefile Backed Memory | rw |
|
|
|
- |
| iphlpsvc.dll.mui | 0xb42f830000 | 0xb42f83cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f840000 | 0xb42f843fff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xb42f850000 | 0xb42f85cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f860000 | 0xb42f863fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0xb42f870000 | 0xb42f880fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f890000 | 0xb42f890000 | 0xb42f896fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8a0000 | 0xb42f8a0000 | 0xb42f8a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8b0000 | 0xb42f8b0000 | 0xb42f8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f8c0000 | 0xb42f8c0000 | 0xb42f8c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f8d0000 | 0xb42f8d0000 | 0xb42f8d6fff | Private Memory | rw |
|
|
|
- |
| activeds.dll.mui | 0xb42f8e0000 | 0xb42f8e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42f8f0000 | 0xb42f8f0000 | 0xb42f8f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b42f900000 | 0xb42f900000 | 0xb42f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fa00000 | 0xb42fa00000 | 0xb42fafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fb00000 | 0xb42fb00000 | 0xb42fbfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb42fc00000 | 0xb42ff36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42ff40000 | 0xb42ff40000 | 0xb43003ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430040000 | 0xb430040000 | 0xb43013ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430140000 | 0xb430140000 | 0xb43023ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430240000 | 0xb430240000 | 0xb43033ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430340000 | 0xb430340000 | 0xb4303bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4303c0000 | 0xb4303c0000 | 0xb4303c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0xb4303d0000 | 0xb4303d8fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xb4303e0000 | 0xb4303e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xb4303f0000 | 0xb4303fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b430400000 | 0xb430400000 | 0xb4304fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430500000 | 0xb430500000 | 0xb4305fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xb430600000 | 0xb43068afff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xb430690000 | 0xb430692fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b4306a0000 | 0xb4306a0000 | 0xb4306a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b4306b0000 | 0xb4306b0000 | 0xb4306b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| newdev.dll.mui | 0xb4306c0000 | 0xb4306c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4306d0000 | 0xb4306d0000 | 0xb4306d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4306e0000 | 0xb4306e0000 | 0xb4306e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b4306f0000 | 0xb4306f0000 | 0xb4306f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430700000 | 0xb430700000 | 0xb4307fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430800000 | 0xb430800000 | 0xb4308fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430900000 | 0xb430900000 | 0xb43097ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0xb430980000 | 0xb4309c2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4309d0000 | 0xb4309d0000 | 0xb430a10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a20000 | 0xb430a20000 | 0xb430a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a30000 | 0xb430a30000 | 0xb430a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a40000 | 0xb430a40000 | 0xb430a40fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a50000 | 0xb430a50000 | 0xb430a50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a60000 | 0xb430a60000 | 0xb430a66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a70000 | 0xb430a70000 | 0xb430a73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a80000 | 0xb430a80000 | 0xb430b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430b80000 | 0xb430b80000 | 0xb430c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430c80000 | 0xb430c80000 | 0xb430cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430d00000 | 0xb430d00000 | 0xb430dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430e00000 | 0xb430e00000 | 0xb430efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430f00000 | 0xb430f00000 | 0xb430ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431000000 | 0xb431000000 | 0xb4310fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431100000 | 0xb431100000 | 0xb4311fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431200000 | 0xb431200000 | 0xb4312fffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb431300000 | 0xb43130ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431310000 | 0xb43131ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431320000 | 0xb43132ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431330000 | 0xb43133ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431340000 | 0xb43134ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431350000 | 0xb43135ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431360000 | 0xb43136ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431370000 | 0xb43137ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b431380000 | 0xb431380000 | 0xb43147ffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb431480000 | 0xb43148ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431490000 | 0xb43149ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314a0000 | 0xb4314affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314b0000 | 0xb4314bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314c0000 | 0xb4314cffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314d0000 | 0xb4314dffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314e0000 | 0xb4314effff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314f0000 | 0xb4314fffff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0xb431500000 | 0xb4315defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4315e0000 | 0xb4315e0000 | 0xb4315e1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b4315f0000 | 0xb4315f0000 | 0xb4315f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431600000 | 0xb431600000 | 0xb4316fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431700000 | 0xb431700000 | 0xb43177ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431780000 | 0xb431780000 | 0xb43187ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431880000 | 0xb431880000 | 0xb43197ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431980000 | 0xb431980000 | 0xb43198ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431990000 | 0xb431990000 | 0xb431a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431a90000 | 0xb431a90000 | 0xb431a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431aa0000 | 0xb431aa0000 | 0xb431aaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ab0000 | 0xb431ab0000 | 0xb431abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ac0000 | 0xb431ac0000 | 0xb431acffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ad0000 | 0xb431ad0000 | 0xb431adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ae0000 | 0xb431ae0000 | 0xb431aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431af0000 | 0xb431af0000 | 0xb431af7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b00000 | 0xb431b00000 | 0xb431b06fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b10000 | 0xb431b10000 | 0xb431c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431c10000 | 0xb431c10000 | 0xb431c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431c90000 | 0xb431c90000 | 0xb431d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431d90000 | 0xb431d90000 | 0xb431e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431e10000 | 0xb431e10000 | 0xb431f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f10000 | 0xb431f10000 | 0xb431f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f90000 | 0xb431f90000 | 0xb43200ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432010000 | 0xb432010000 | 0xb43208ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432090000 | 0xb432090000 | 0xb43210ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432110000 | 0xb432110000 | 0xb43220ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432210000 | 0xb432210000 | 0xb43230ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432310000 | 0xb432310000 | 0xb43240ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432410000 | 0xb432410000 | 0xb43248ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432490000 | 0xb432490000 | 0xb43258ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432590000 | 0xb432590000 | 0xb43268ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432690000 | 0xb432690000 | 0xb43278ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432790000 | 0xb432790000 | 0xb43288ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432890000 | 0xb432890000 | 0xb43290ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b432910000 | 0xb432910000 | 0xb43295cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| datastore.edb | 0xb432960000 | 0xb43296ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b432970000 | 0xb432970000 | 0xb432976fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432980000 | 0xb432980000 | 0xb432a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432a80000 | 0xb432a80000 | 0xb432afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432b00000 | 0xb432b00000 | 0xb432bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432c00000 | 0xb432c00000 | 0xb432cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432d00000 | 0xb432d00000 | 0xb432dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432e00000 | 0xb432e00000 | 0xb432e7ffff | Private Memory | rw |
|
|
|
- |
| dosvc.dll.mui | 0xb432e80000 | 0xb432e80fff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e90000 | 0xb432e9ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ea0000 | 0xb432eaffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432eb0000 | 0xb432ebffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ec0000 | 0xb432ecffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b432ed0000 | 0xb432ed0000 | 0xb432ed1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| datastore.edb | 0xb432ee0000 | 0xb432eeffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b432ef0000 | 0xb432ef0000 | 0xb432ef1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b432f00000 | 0xb432f00000 | 0xb432ffffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 409 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #13: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A60
0x
A8C
0x
9EC
0x
1E0
0x
2F0
0x
6D0
0x
620
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0114ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01161fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01170000 | 0x0122dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x01270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x0129ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012affff | Private Memory | - |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x012effff | Private Memory | - |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x01300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0143ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0147ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x014bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x014dffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x014e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000014f0000 | 0x014f0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x015fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001600000 | 0x01600000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016a0000 | 0x016a0000 | 0x016affff | Private Memory | - |
|
|
|
- |
| private_0x00000000016b0000 | 0x016b0000 | 0x016bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x016cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016d0000 | 0x016d0000 | 0x016dffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0171ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001720000 | 0x01720000 | 0x0172ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001730000 | 0x01730000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001740000 | 0x01740000 | 0x01740fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001760000 | 0x01760000 | 0x018e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000018f0000 | 0x018f0000 | 0x01a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001a80000 | 0x01a80000 | 0x02e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05080000 | 0x053b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0556ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x055bffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000055c0000 | 0x055c0000 | 0x065bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065c0000 | 0x065c0000 | 0x066effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000066f0000 | 0x066f0000 | 0x076effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000076f0000 | 0x076f0000 | 0x0793ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007940000 | 0x07940000 | 0x0893ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008940000 | 0x08940000 | 0x0993ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009940000 | 0x09940000 | 0x0a93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a940000 | 0x0a940000 | 0x0aa3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000aa40000 | 0x0aa40000 | 0x0ab3ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x0afe0000 | 0x0b477fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007eb24000 | 0x7eb24000 | 0x7eb26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb27000 | 0x7eb27000 | 0x7eb29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2a000 | 0x7eb2a000 | 0x7eb2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2d000 | 0x7eb2d000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7ec2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ec52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec53000 | 0x7ec53000 | 0x7ec53fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec56000 | 0x7ec56000 | 0x7ec58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec59000 | 0x7ec59000 | 0x7ec5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5c000 | 0x7ec5c000 | 0x7ec5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5f000 | 0x7ec5f000 | 0x7ec5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ProgramData\WinSys.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe | type = file_attributes |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Process #14: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
EF0
0x
EF8
0x
ED4
0x
ECC
0x
F54
0x
F4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d905f10000 | 0xd905f10000 | 0xd905f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905f10000 | 0xd905f10000 | 0xd905f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d905f20000 | 0xd905f20000 | 0xd905f26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905f30000 | 0xd905f30000 | 0xd905f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d905f50000 | 0xd905f50000 | 0xd905fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905fd0000 | 0xd905fd0000 | 0xd905fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d905fe0000 | 0xd905fe0000 | 0xd905fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d905ff0000 | 0xd905ff0000 | 0xd905ff1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd906000000 | 0xd9060bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d9060c0000 | 0xd9060c0000 | 0xd90613ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906140000 | 0xd906140000 | 0xd906146fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906150000 | 0xd906150000 | 0xd906150fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906160000 | 0xd906160000 | 0xd906160fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d906170000 | 0xd906170000 | 0xd906170fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d906180000 | 0xd906180000 | 0xd906180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d906190000 | 0xd906190000 | 0xd90628ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906290000 | 0xd906290000 | 0xd90630ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906370000 | 0xd906370000 | 0xd90637ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d906380000 | 0xd906380000 | 0xd906507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d906510000 | 0xd906510000 | 0xd906690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d9066a0000 | 0xd9066a0000 | 0xd90675ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xd906760000 | 0xd906a96fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d906aa0000 | 0xd906aa0000 | 0xd906b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906b20000 | 0xd906b20000 | 0xd906b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906ba0000 | 0xd906ba0000 | 0xd906c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fffc0000 | 0x7df5fffc0000 | 0x7ff5fffbffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6673a0000 | 0x7ff6673a0000 | 0x7ff66749ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6674a0000 | 0x7ff6674a0000 | 0x7ff6674c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6674c3000 | 0x7ff6674c3000 | 0x7ff6674c4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c5000 | 0x7ff6674c5000 | 0x7ff6674c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c7000 | 0x7ff6674c7000 | 0x7ff6674c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c9000 | 0x7ff6674c9000 | 0x7ff6674cafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674cb000 | 0x7ff6674cb000 | 0x7ff6674ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674cd000 | 0x7ff6674cd000 | 0x7ff6674cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674ce000 | 0x7ff6674ce000 | 0x7ff6674cffff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff667b90000 | 0x7ff667bbefff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffc496f0000 | 0x7ffc49703fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffc49710000 | 0x7ffc49807fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffc4a370000 | 0x7ffc4a380fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffc4d910000 | 0x7ffc4d98efff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ffc50610000 | 0x7ffc50634fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffc57a20000 | 0x7ffc57a27fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #17: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c0 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F78
0x
F74
0x
F64
0x
F6C
0x
FE4
0x
F70
0x
F80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01200000 | 0x012bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x013fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001400000 | 0x01400000 | 0x0140ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0145ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x01770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001780000 | 0x01780000 | 0x02b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02beffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02c8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cfffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f30000 | 0x05266fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x052effff | Private Memory | - |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005400000 | 0x05400000 | 0x05400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x054cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x064cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064d0000 | 0x064d0000 | 0x065fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006600000 | 0x06600000 | 0x075fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007600000 | 0x07600000 | 0x0784ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007850000 | 0x07850000 | 0x0884ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008850000 | 0x08850000 | 0x0984ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009850000 | 0x09850000 | 0x0994ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009950000 | 0x09950000 | 0x09a4ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x09ef0000 | 0x0a387fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f101000 | 0x7f101000 | 0x7f103fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f104000 | 0x7f104000 | 0x7f106fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f107000 | 0x7f107000 | 0x7f109fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10a000 | 0x7f10a000 | 0x7f10cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10d000 | 0x7f10d000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f235000 | 0x7f235000 | 0x7f237fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f238000 | 0x7f238000 | 0x7f238fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23b000 | 0x7f23b000 | 0x7f23bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ProgramData\WinSys.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe | type = file_attributes |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Process #18: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {15A7A4A7-8576-4E0D-8E68-775B3CBFF42F} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf2c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F40
0x
764
0x
A70
0x
C50
0x
C58
0x
C74
0x
8B8
0x
900
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007ce3620000 | 0x7ce3620000 | 0x7ce363ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce3620000 | 0x7ce3620000 | 0x7ce362ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007ce3630000 | 0x7ce3630000 | 0x7ce3636fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce3640000 | 0x7ce3640000 | 0x7ce3653fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3660000 | 0x7ce3660000 | 0x7ce36dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce36e0000 | 0x7ce36e0000 | 0x7ce36e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce36f0000 | 0x7ce36f0000 | 0x7ce36f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3700000 | 0x7ce3700000 | 0x7ce3701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7ce3710000 | 0x7ce37cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce37d0000 | 0x7ce37d0000 | 0x7ce384ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3850000 | 0x7ce3850000 | 0x7ce3856fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3860000 | 0x7ce3860000 | 0x7ce395ffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x7ce3960000 | 0x7ce3960fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce3970000 | 0x7ce3970000 | 0x7ce3970fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3980000 | 0x7ce3980000 | 0x7ce3980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3990000 | 0x7ce3990000 | 0x7ce399ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce39a0000 | 0x7ce39a0000 | 0x7ce39a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce39b0000 | 0x7ce39b0000 | 0x7ce39b6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce39e0000 | 0x7ce39e0000 | 0x7ce39effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce39f0000 | 0x7ce39f0000 | 0x7ce3b77fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce3b80000 | 0x7ce3b80000 | 0x7ce3d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce3d10000 | 0x7ce3d10000 | 0x7ce3dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3dd0000 | 0x7ce3dd0000 | 0x7ce3e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3e50000 | 0x7ce3e50000 | 0x7ce3f4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x7ce3f50000 | 0x7ce4286fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce4290000 | 0x7ce4290000 | 0x7ce430ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4310000 | 0x7ce4310000 | 0x7ce438ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4390000 | 0x7ce4390000 | 0x7ce440ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4410000 | 0x7ce4410000 | 0x7ce448ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff4c0000 | 0x7df5ff4c0000 | 0x7ff5ff4bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff66a38e000 | 0x7ff66a38e000 | 0x7ff66a38ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff66a390000 | 0x7ff66a390000 | 0x7ff66a48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff66a490000 | 0x7ff66a490000 | 0x7ff66a4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff66a4b3000 | 0x7ff66a4b3000 | 0x7ff66a4b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b5000 | 0x7ff66a4b5000 | 0x7ff66a4b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b7000 | 0x7ff66a4b7000 | 0x7ff66a4b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b9000 | 0x7ff66a4b9000 | 0x7ff66a4bafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bb000 | 0x7ff66a4bb000 | 0x7ff66a4bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bd000 | 0x7ff66a4bd000 | 0x7ff66a4befff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bf000 | 0x7ff66a4bf000 | 0x7ff66a4bffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff66ab00000 | 0x7ff66ab4cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ffc505c0000 | 0x7ffc505c8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #19: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {1041B8A7-BFE5-4C6D-B407-C03324D5908B} S-1-5-21-1462094071-1423818996-289466292-1000:LHNIWSJ\CIiHmnxMn6Ps:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8D0
0x
C3C
0x
C70
0x
C48
0x
E24
0x
E28
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004fad200000 | 0x4fad200000 | 0x4fad21ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad200000 | 0x4fad200000 | 0x4fad20ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004fad210000 | 0x4fad210000 | 0x4fad216fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad220000 | 0x4fad220000 | 0x4fad233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad240000 | 0x4fad240000 | 0x4fad2bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad2c0000 | 0x4fad2c0000 | 0x4fad2c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fad2d0000 | 0x4fad2d0000 | 0x4fad2d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad2e0000 | 0x4fad2e0000 | 0x4fad2e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad2f0000 | 0x4fad2f0000 | 0x4fad2f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad300000 | 0x4fad300000 | 0x4fad300fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad310000 | 0x4fad310000 | 0x4fad316fff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x4fad320000 | 0x4fad320fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fad330000 | 0x4fad330000 | 0x4fad42ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4fad430000 | 0x4fad4edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fad4f0000 | 0x4fad4f0000 | 0x4fad56ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad570000 | 0x4fad570000 | 0x4fad5effff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad5f0000 | 0x4fad5f0000 | 0x4fad66ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad670000 | 0x4fad670000 | 0x4fad670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad680000 | 0x4fad680000 | 0x4fad680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad6d0000 | 0x4fad6d0000 | 0x4fad6dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad6e0000 | 0x4fad6e0000 | 0x4fad7dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad7e0000 | 0x4fad7e0000 | 0x4fad85ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad8b0000 | 0x4fad8b0000 | 0x4fad8bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x4fad8c0000 | 0x4fadbf6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fadc00000 | 0x4fadc00000 | 0x4fadc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fadc80000 | 0x4fadc80000 | 0x4fadcfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fadd00000 | 0x4fadd00000 | 0x4fade87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fade90000 | 0x4fade90000 | 0x4fae010fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fae020000 | 0x4fae020000 | 0x4faf41ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004faf4e0000 | 0x4faf4e0000 | 0x4faf4effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0f0000 | 0x7df5ff0f0000 | 0x7ff5ff0effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff669d9c000 | 0x7ff669d9c000 | 0x7ff669d9dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669d9e000 | 0x7ff669d9e000 | 0x7ff669d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff669da0000 | 0x7ff669da0000 | 0x7ff669e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff669ea0000 | 0x7ff669ea0000 | 0x7ff669ec2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff669ec4000 | 0x7ff669ec4000 | 0x7ff669ec5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ec6000 | 0x7ff669ec6000 | 0x7ff669ec6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ec8000 | 0x7ff669ec8000 | 0x7ff669ec9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669eca000 | 0x7ff669eca000 | 0x7ff669ecbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ecc000 | 0x7ff669ecc000 | 0x7ff669ecdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ece000 | 0x7ff669ece000 | 0x7ff669ecffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff66ab00000 | 0x7ff66ab4cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ffc505c0000 | 0x7ffc505c8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #20: sdxhelper.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\sdxhelper.exe |
| Command Line | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\sdxhelper.exe" /onlogon |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf28 |
| Parent PID | 0x36c (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DFC
0x
728
0x
C40
0x
D38
0x
DC0
0x
DC4
0x
D34
0x
D2C
0x
270
0x
D0
0x
224
0x
338
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000c40ba50000 | 0xc40ba50000 | 0xc40ba6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40ba50000 | 0xc40ba50000 | 0xc40ba5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c40ba60000 | 0xc40ba60000 | 0xc40ba66fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40ba70000 | 0xc40ba70000 | 0xc40ba83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40ba90000 | 0xc40ba90000 | 0xc40bb8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bb90000 | 0xc40bb90000 | 0xc40bb93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bba0000 | 0xc40bba0000 | 0xc40bba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bbb0000 | 0xc40bbb0000 | 0xc40bbb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bbc0000 | 0xc40bbc0000 | 0xc40bbc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bbd0000 | 0xc40bbd0000 | 0xc40bbd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bbe0000 | 0xc40bbe0000 | 0xc40bbe0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bbf0000 | 0xc40bbf0000 | 0xc40bbf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bc00000 | 0xc40bc00000 | 0xc40bc00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bc10000 | 0xc40bc10000 | 0xc40bc10fff | Private Memory | rw |
|
|
|
- |
| installermainshell.tlb | 0xc40bc20000 | 0xc40bc21fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c40bc30000 | 0xc40bc30000 | 0xc40bc32fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bc40000 | 0xc40bc40000 | 0xc40bc42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bc50000 | 0xc40bc50000 | 0xc40bc5ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x000000c40bc60000 | 0xc40bc60000 | 0xc40bc61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bc70000 | 0xc40bc70000 | 0xc40bd6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc40bd70000 | 0xc40be2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40be30000 | 0xc40be30000 | 0xc40bf2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40be30000 | 0xc40be30000 | 0xc40be33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40be40000 | 0xc40be40000 | 0xc40be41fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40be50000 | 0xc40be50000 | 0xc40be6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40be70000 | 0xc40be70000 | 0xc40bf6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bf70000 | 0xc40bf70000 | 0xc40bf70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bf80000 | 0xc40bf80000 | 0xc40bf80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bf90000 | 0xc40bf90000 | 0xc40bf90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bfa0000 | 0xc40bfa0000 | 0xc40bfa0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xc40bfb0000 | 0xc40bfb0fff | Memory Mapped File | rw |
|
|
|
- |
| winnlsres.dll | 0xc40bfc0000 | 0xc40bfc4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xc40bfd0000 | 0xc40bfdffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40bfe0000 | 0xc40bfe0000 | 0xc40bfeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bff0000 | 0xc40bff0000 | 0xc40c177fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40c180000 | 0xc40c180000 | 0xc40c300fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40c310000 | 0xc40c310000 | 0xc40d70ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xc40d710000 | 0xc40da46fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40da50000 | 0xc40da50000 | 0xc40db4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40db50000 | 0xc40db50000 | 0xc40dc07fff | Pagefile Backed Memory | r |
|
|
|
- |
| mswsock.dll.mui | 0xc40dc10000 | 0xc40dc12fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c40dc20000 | 0xc40dc20000 | 0xc40dc21fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c40dc30000 | 0xc40dc30000 | 0xc40dc3ffff | Private Memory | rw |
|
|
|
- |
| office.odf | 0xc40dc40000 | 0xc40de60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40de70000 | 0xc40de70000 | 0xc40df6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40df70000 | 0xc40df70000 | 0xc40e06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e070000 | 0xc40e070000 | 0xc40e16ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e170000 | 0xc40e170000 | 0xc40e26ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e270000 | 0xc40e270000 | 0xc40e36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e370000 | 0xc40e370000 | 0xc40e46ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e470000 | 0xc40e470000 | 0xc40e56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e570000 | 0xc40e570000 | 0xc40e66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e670000 | 0xc40e670000 | 0xc40e76ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e770000 | 0xc40e770000 | 0xc40e96ffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0xc40e970000 | 0xc40e979fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff400000 | 0x7df5ff400000 | 0x7ff5ff3fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff71cf56000 | 0x7ff71cf56000 | 0x7ff71cf57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf58000 | 0x7ff71cf58000 | 0x7ff71cf59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5a000 | 0x7ff71cf5a000 | 0x7ff71cf5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5c000 | 0x7ff71cf5c000 | 0x7ff71cf5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5e000 | 0x7ff71cf5e000 | 0x7ff71cf5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff71cf60000 | 0x7ff71cf60000 | 0x7ff71d05ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff71d060000 | 0x7ff71d060000 | 0x7ff71d082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff71d083000 | 0x7ff71d083000 | 0x7ff71d084fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d085000 | 0x7ff71d085000 | 0x7ff71d085fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d086000 | 0x7ff71d086000 | 0x7ff71d087fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d088000 | 0x7ff71d088000 | 0x7ff71d089fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08a000 | 0x7ff71d08a000 | 0x7ff71d08bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08c000 | 0x7ff71d08c000 | 0x7ff71d08dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08e000 | 0x7ff71d08e000 | 0x7ff71d08ffff | Private Memory | rw |
|
|
|
- |
| sdxhelper.exe | 0x7ff71def0000 | 0x7ff71df0efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc17bd0000 | 0x7ffc17bd0000 | 0x7ffc17bdffff | Private Memory | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7ffc3def0000 | 0x7ffc3e568fff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7ffc405e0000 | 0x7ffc40df0fff | Memory Mapped File | rwx |
|
|
|
- |
| c2r64.dll | 0x7ffc40e00000 | 0x7ffc41077fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems64.dll | 0x7ffc410e0000 | 0x7ffc41363fff | Memory Mapped File | rwx |
|
|
|
- |
| dsreg.dll | 0x7ffc46650000 | 0x7ffc466a9fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ffc4a6b0000 | 0x7ffc4a6c6fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffc4b930000 | 0x7ffc4bc6cfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.web.core.dll | 0x7ffc4cfe0000 | 0x7ffc4d08cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffc4fd60000 | 0x7ffc4fe06fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffc505a0000 | 0x7ffc505b5fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x7ffc57450000 | 0x7ffc57456fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 3 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #21: officec2rclient.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b8 |
| Parent PID | 0xf2c (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
CC8
0x
804
0x
114
0x
C44
0x
DEC
0x
318
0x
34C
0x
320
0x
274
0x
304
0x
95C
0x
56C
0x
75C
0x
FFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000055629a0000 | 0x55629a0000 | 0x55629bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000055629a0000 | 0x55629a0000 | 0x55629affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000055629b0000 | 0x55629b0000 | 0x55629b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000055629c0000 | 0x55629c0000 | 0x55629d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000055629e0000 | 0x55629e0000 | 0x5562adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562ae0000 | 0x5562ae0000 | 0x5562ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005562af0000 | 0x5562af0000 | 0x5562af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005562b00000 | 0x5562b00000 | 0x5562b01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5562b10000 | 0x5562bcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005562bd0000 | 0x5562bd0000 | 0x5562bd6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562be0000 | 0x5562be0000 | 0x5562be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562bf0000 | 0x5562bf0000 | 0x5562bf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c00000 | 0x5562c00000 | 0x5562c00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c10000 | 0x5562c10000 | 0x5562c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c20000 | 0x5562c20000 | 0x5562c2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000005562c30000 | 0x5562c30000 | 0x5562c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562c40000 | 0x5562c40000 | 0x5562c41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005562c50000 | 0x5562c50000 | 0x5562c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005562c60000 | 0x5562c60000 | 0x5562d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562d60000 | 0x5562d60000 | 0x5562e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562e60000 | 0x5562e60000 | 0x5562f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562f60000 | 0x5562f60000 | 0x556301ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005563020000 | 0x5563020000 | 0x556302ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563030000 | 0x5563030000 | 0x55631b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000055631c0000 | 0x55631c0000 | 0x5563340fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x5563350000 | 0x5563686fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005563690000 | 0x5563690000 | 0x556378ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563790000 | 0x5563790000 | 0x556398ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563990000 | 0x5563990000 | 0x5563991fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000055639a0000 | 0x55639a0000 | 0x5563a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563aa0000 | 0x5563aa0000 | 0x5563aa0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005563ab0000 | 0x5563ab0000 | 0x5563abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563ac0000 | 0x5563ac0000 | 0x5563bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563bc0000 | 0x5563bc0000 | 0x5563cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563cc0000 | 0x5563cc0000 | 0x5563dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563dc0000 | 0x5563dc0000 | 0x5563ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563ec0000 | 0x5563ec0000 | 0x5563fbffff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0x5563fc0000 | 0x5563fc0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000005563fd0000 | 0x5563fd0000 | 0x55640cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000055640d0000 | 0x55640d0000 | 0x55641cffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x55641d0000 | 0x55641d4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x55641e0000 | 0x55641effff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x55641f0000 | 0x55641f2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005564200000 | 0x5564200000 | 0x5564201fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005564210000 | 0x5564210000 | 0x556430ffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x5564310000 | 0x5564319fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005564320000 | 0x5564320000 | 0x556441ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005564420000 | 0x5564420000 | 0x556451ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005564520000 | 0x5564520000 | 0x556491ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff9c0000 | 0x7df5ff9c0000 | 0x7ff5ff9bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff611ce0000 | 0x7ff611ce0000 | 0x7ff611ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce2000 | 0x7ff611ce2000 | 0x7ff611ce3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce4000 | 0x7ff611ce4000 | 0x7ff611ce5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce6000 | 0x7ff611ce6000 | 0x7ff611ce7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce8000 | 0x7ff611ce8000 | 0x7ff611ce9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cea000 | 0x7ff611cea000 | 0x7ff611cebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cec000 | 0x7ff611cec000 | 0x7ff611cedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cee000 | 0x7ff611cee000 | 0x7ff611ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff611cf0000 | 0x7ff611cf0000 | 0x7ff611deffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff611df0000 | 0x7ff611df0000 | 0x7ff611e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff611e14000 | 0x7ff611e14000 | 0x7ff611e14fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e16000 | 0x7ff611e16000 | 0x7ff611e17fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e18000 | 0x7ff611e18000 | 0x7ff611e19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1a000 | 0x7ff611e1a000 | 0x7ff611e1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1c000 | 0x7ff611e1c000 | 0x7ff611e1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1e000 | 0x7ff611e1e000 | 0x7ff611e1ffff | Private Memory | rw |
|
|
|
- |
| officec2rclient.exe | 0x7ff612080000 | 0x7ff6137a4fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f410000 | 0x7ffc3f4adfff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffc4b930000 | 0x7ffc4bc6cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ffc4cec0000 | 0x7ffc4cefbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4d090000 | 0x7ffc4d139fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffc4db10000 | 0x7ffc4dbb6fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffc4dbc0000 | 0x7ffc4dbd5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffc4f660000 | 0x7ffc4f686fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ffc4fe10000 | 0x7ffc50354fff | Memory Mapped File | rwx |
|
|
|
- |
| hlink.dll | 0x7ffc50380000 | 0x7ffc5039efff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x7ffc503a0000 | 0x7ffc503a6fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ffc522a0000 | 0x7ffc5233bfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc54ca0000 | 0x7ffc54cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ffc55630000 | 0x7ffc557f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x7ffc57450000 | 0x7ffc57456fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #23: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D00
0x
B74
0x
D10
0x
CF4
0x
CBC
0x
CE8
0x
CEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000de0000 | 0x00de0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fb0000 | 0x0106dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | - |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01120fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x01330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0137ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0138ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0139ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x013affff | Private Memory | - |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x013fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x01400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x014dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0147ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x014affff | Private Memory | - |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014f0000 | 0x014f0000 | 0x014fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x0150ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001510000 | 0x01510000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001520000 | 0x01520000 | 0x016a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000016b0000 | 0x016b0000 | 0x01830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001840000 | 0x01840000 | 0x02c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d40000 | 0x02d40000 | 0x02d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d80000 | 0x02d80000 | 0x02d80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04eb0000 | 0x051e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0548ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0550ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000005510000 | 0x05510000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006510000 | 0x06510000 | 0x0750ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007510000 | 0x07510000 | 0x0775ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007760000 | 0x07760000 | 0x0875ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x0975ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009760000 | 0x09760000 | 0x0985ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009860000 | 0x09860000 | 0x0995ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x09d00000 | 0x0a197fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f0f4000 | 0x7f0f4000 | 0x7f0f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fa000 | 0x7f0fa000 | 0x7f0fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f223000 | 0x7f223000 | 0x7f223fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f226000 | 0x7f226000 | 0x7f228fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f229000 | 0x7f229000 | 0x7f22bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22c000 | 0x7f22c000 | 0x7f22efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22f000 | 0x7f22f000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ProgramData\WinSys.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe | type = file_attributes |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
