c283c47ed7ecb84bdedf5a856374b4a60d48e0d42c0c57d4ff61a16d71f3528b (SHA256)
Mining.exe
Windows Exe (x86-32)
Created at 2019-01-26 02:20:00
Notifications (1/1)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Monitored Processes
Behavior Information - Sequential View
Process #1: mining.exe
232
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\mining.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf1c |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F20
0x
F3C
0x
F48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e80000 | 0x00f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01013fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| mining.exe | 0x01140000 | 0x016d6fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000016e0000 | 0x016e0000 | 0x01adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ae0000 | 0x01ae0000 | 0x01b97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x027affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027b0000 | 0x027b0000 | 0x02937fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x03ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03f57fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x0407ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0454efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x04546fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04080000 | 0x043b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x0488bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x0488efff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74070000 | 0x74097fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x740a0000 | 0x740c0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x740d0000 | 0x740d7fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x740e0000 | 0x74102fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74110000 | 0x74128fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7415ffff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74160000 | 0x74183fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74190000 | 0x743b3fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x743c0000 | 0x743d6fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743e0000 | 0x745e8fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745f0000 | 0x745f7fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74600000 | 0x74607fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74610000 | 0x7462cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x74d90000 | 0x74d95fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x766d0000 | 0x7678dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000ff190000 | 0xff190000 | 0xff28ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000ff290000 | 0xff290000 | 0xff2b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000ff2b5000 | 0xff2b5000 | 0xff2b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2b8000 | 0xff2b8000 | 0xff2bafff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2bb000 | 0xff2bb000 | 0xff2bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2be000 | 0xff2be000 | 0xff2befff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff2bf000 | 0xff2bf000 | 0xff2bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 4.69 MB |
MD5:
5e137a5cf5138f25f5b3d74e7e694eac
SHA1: 243cac505e430609afd4807534a0ec27792c0796 SHA256: 2ae5e88dc24e02d2e4bb65bdf5be48b5430baa545188af8a6498d14bc3cf4191 SSDeep: 98304:ETVPCviLZiYvlp5pamq//BsIhwOuFL0hyP:IVKviL4Ytpam4ypOG0h |
|
|
| Zero_Two.tmp | 103.00 KB |
MD5:
dc94ab73eadb420e362697dfdea306a7
SHA1: fdcf1d67eb22b0fac6cb598d0a138c63b79fb0bf SHA256: ffeeb844993f2fee324a19467d8ed8a36d82084002542674b1f3ee111ca0e643 SSDeep: 3072:SzEWN5IyOrM2MrIfjblaX/g7q0LyejLl77W8rOirJTqX2wA2j8/VE:SxIyTIfj5aW |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp | 50.11 KB |
MD5:
eb5b9cf9564f4d506c3a59fbb5efdf10
SHA1: eca33a3e475db1e9f62b99503fa2e7bf8ffbbe8a SHA256: 321c4580be28e5c71a40f0c9e3e005410fa6cdff335a53b16ef13470b3ea8278 SSDeep: 768:qy/MVdhrNfHPgdTjXm2X0Bwn6yfCHBW+wQ0zS7JuwvYywBT+ugKPNlMwJM/KYVHK:2bbP6j22X0SnfChJw1q+B6ugS2KYI |
|
|
Threads
Thread 0xf20
186
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74f5a330 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74f5f400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74f57580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74f59910 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74f66030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x74f65f90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74f65ff0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x74f5a5d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x74f5a690 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x776e40f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x776dd630 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x776decf0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x74f65720 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x776de140 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x776deb60 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77719990 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77715540 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77709dc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x74f5a550 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74f80a40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x752c0790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x74f5f8a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x74f5fa30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74f81030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x74f5a000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74f814b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x74f5a4f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74f816f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74f59970 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74f58710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\ciihmnxmn6ps\desktop\mining.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\ciihmnxmn6ps\desktop\mining.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\ciihmnxmn6ps\desktop\mining.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, address_out = 0x74f5ebb0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, base_address = 0x1140000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x74f5eb90 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:37 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\ciihmnxmn6ps\desktop\mining.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x74f5ebb0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, base_address = 0x1140000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x74f5eb90 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:37 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x74f5ebb0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, base_address = 0x1140000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x74f5eb90 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:38 (UTC) |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, type = file_attributes |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:38 (UTC) |
|
10 | |
| File | Create Temp File | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| File | Create | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, type = file_type |
|
1 | |
| File | Write | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, size = 65536 |
|
75 | |
| File | Write | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, size = 1536 |
|
1 | |
| File | Copy | source_filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp |
|
1 | |
| File | Delete | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x74f5ebb0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, base_address = 0x1140000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x74f5eb90 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:39 (UTC) |
|
1 | |
| File | Get Info | filename = Zero_Two.tmp, type = file_attributes |
|
1 | |
| System | Get Time | type = System Time, time = 2019-01-26 02:21:39 (UTC) |
|
13 | |
| File | Create Temp File | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| File | Create | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, type = file_type |
|
1 | |
| File | Write | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, size = 49152 |
|
1 | |
| File | Write | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, size = 2160 |
|
1 | |
| File | Create | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, type = file_type |
|
1 | |
| File | Create | filename = Zero_Two.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = Zero_Two.tmp, type = file_type |
|
1 | |
| File | Read | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, size = 4096, size_out = 4096 |
|
1 | |
| File | Read | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, size = 61440, size_out = 47216 |
|
1 | |
| File | Read | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp, size = 12288, size_out = 0 |
|
1 | |
| File | Write | filename = Zero_Two.tmp, size = 65536 |
|
1 | |
| File | Write | filename = Zero_Two.tmp, size = 36864 |
|
1 | |
| File | Write | filename = Zero_Two.tmp, size = 3072 |
|
1 | |
| File | Delete | filename = C:\Users\CIIHMN~1\AppData\Local\Temp\autF2F7.tmp |
|
1 | |
| File | Create | filename = Zero_Two.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe /c Zero_Two.tmp, os_pid = 0xf84, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe /c C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, os_pid = 0xf8c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll |
|
1 |
Process #2: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c Zero_Two.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf84 |
| Parent PID | 0xf1c (c:\users\ciihmnxmn6ps\desktop\mining.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F88
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006c0000 | 0x009f6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x00f80000 | 0x00fcffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e760000 | 0x7eaeffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec13000 | 0x7ec13000 | 0x7ec13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec17000 | 0x7ec17000 | 0x7ec17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1a000 | 0x7ec1a000 | 0x7ec1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec1d000 | 0x7ec1d000 | 0x7ec1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xf88
51
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0xf80000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 | |
| File | Get Info | filename = Zero_Two.tmp, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp, os_pid = 0xc10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 |
Process #3: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0xf1c (c:\users\ciihmnxmn6ps\desktop\mining.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F90
0x
FF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b40000 | 0x00bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00f80000 | 0x00fcffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x04fcffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04fd0000 | 0x05306fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7f480000 | 0x7f80ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007f810000 | 0x7f810000 | 0x7f90ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f910000 | 0x7f910000 | 0x7f932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f938000 | 0x7f938000 | 0x7f93afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93b000 | 0x7f93b000 | 0x7f93dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93e000 | 0x7f93e000 | 0x7f93efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f93f000 | 0x7f93f000 | 0x7f93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xf90
56
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\cmd.exe, base_address = 0xf80000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x74f82780 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x74f5fa80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x74f5a790 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x752a35c0 |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, os_pid = 0xa38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #6: zero_two.tmp
541
31
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\ciihmnxmn6ps\desktop\zero_two.tmp |
| Command Line | Zero_Two.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc10 |
| Parent PID | 0xf84 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C28
0x
C30
0x
D44
0x
D24
0x
B6C
0x
518
0x
CD4
0x
6B4
0x
DF8
0x
5BC
0x
DD8
0x
DD4
0x
278
0x
68C
0x
B3C
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00340fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004d0000 | 0x0058dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00660fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00b87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| zero_two.tmp | 0x00dc0000 | 0x00dddfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x021dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x022dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022e0000 | 0x022e0000 | 0x0231ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0232ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002330000 | 0x02330000 | 0x02330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0234ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0444ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04450000 | 0x04786fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0488ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x048cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x0493ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0494ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x0594ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x05a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a80000 | 0x05a80000 | 0x06a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a80000 | 0x06a80000 | 0x06ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006cd0000 | 0x06cd0000 | 0x07ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007cd0000 | 0x07cd0000 | 0x08ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008cd0000 | 0x08cd0000 | 0x09ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009cd0000 | 0x09cd0000 | 0x09dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009dd0000 | 0x09dd0000 | 0x09ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009ed0000 | 0x09ed0000 | 0x09fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009fd0000 | 0x09fd0000 | 0x0a00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a010000 | 0x0a010000 | 0x0a10ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a110000 | 0x0a110000 | 0x0a14ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a150000 | 0x0a150000 | 0x0a24ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000000a250000 | 0x0a250000 | 0x0a250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000000a260000 | 0x0a260000 | 0x0a29ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x0a2a0000 | 0x0a2a3fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x0a2b0000 | 0x0a2f2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x0a300000 | 0x0a303fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x0a310000 | 0x0a320fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x0a330000 | 0x0a333fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x0a340000 | 0x0a352fff | Memory Mapped File | r |
|
|
|
- |
| system.windows.forms.dll | 0x0a370000 | 0x0a807fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000000a810000 | 0x0a810000 | 0x0a90ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x0a910000 | 0x0a99afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000000a9a0000 | 0x0a9a0000 | 0x0a9dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a9e0000 | 0x0a9e0000 | 0x0aadffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x71bb0000 | 0x71db6fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x71dc0000 | 0x71f01fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74490000 | 0x744befff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x744c0000 | 0x744dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x744e0000 | 0x744f2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74500000 | 0x74527fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f228000 | 0x7f228000 | 0x7f22afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22b000 | 0x7f22b000 | 0x7f22dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22e000 | 0x7f22e000 | 0x7f230fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f231000 | 0x7f231000 | 0x7f233fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f234000 | 0x7f234000 | 0x7f236fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f237000 | 0x7f237000 | 0x7f239fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23a000 | 0x7f23a000 | 0x7f23cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f365000 | 0x7f365000 | 0x7f365fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f366000 | 0x7f366000 | 0x7f368fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f369000 | 0x7f369000 | 0x7f36bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 80 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| Zero_Two.tmp | 103.00 KB |
MD5:
dc94ab73eadb420e362697dfdea306a7
SHA1: fdcf1d67eb22b0fac6cb598d0a138c63b79fb0bf SHA256: ffeeb844993f2fee324a19467d8ed8a36d82084002542674b1f3ee111ca0e643 SSDeep: 3072:SzEWN5IyOrM2MrIfjblaX/g7q0LyejLl77W8rOirJTqX2wA2j8/VE:SxIyTIfj5aW |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Threads
Thread 0xc28
99
31
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = COR_ENABLE_PROFILING |
|
1 | |
| File | Get Info | filename = C:\ProgramData\WinSys.exe, type = file_attributes |
|
1 | |
| File | Copy | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp, destination_filename = C:\ProgramData\WinSys.exe |
|
1 | |
| Process | Create | process_name = schtasks.exe, show_window = SW_HIDE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe, type = file_attributes |
|
1 | |
| File | Copy | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe |
|
1 | |
| Process | Create | process_name = schtasks.exe, show_window = SW_HIDE |
|
1 | |
| Mutex | Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp.config, type = file_attributes |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = 2007, type = REG_BINARY |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = 2008, type = REG_BINARY |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\en-US\tzres.dll.mui, base_address = 0xae50001 |
|
3 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_MinCount |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = iplogger.org, address_out = 88.99.66.31 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = HWRPortReuseOnSocketBind, type = REG_NONE |
|
1 | |
| Socket | Connect | remote_address = 88.99.66.31, remote_port = 443 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = SchUseStrongCrypto, type = REG_NONE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x75243c90 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 124, size_out = 124 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 93, size_out = 93 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5725, size_out = 5725 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| System | Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 149, size_out = 149 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 624, size_out = 624 |
|
1 |
Thread 0x518
31
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
206 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
Thread 0xcd4
30
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
206 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
Thread 0xb64
27
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x70470000 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70470000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x7772caa0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\zero_two.tmp, base_address = 0xdc0000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 2004011680 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 76809886 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70470000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\zero_two.tmp, base_address = 0xdc0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 2004011680 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551612, new_long = 76809926 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\zero_two.tmp, base_address = 0xdc0000 |
|
2 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.4.0.0.0.bf7771.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.bf7771.0, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551608, new_long = 0 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70470000 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551600, new_long = 47120384 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.bf7771_r12_ad1, index = 18446744073709551596, new_long = 327680 |
|
1 |
Process #7: 517847183.tmp
624
8
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\ciihmnxmn6ps\appdata\roaming\517847183.tmp |
| Command Line | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0xf8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
0x
924
0x
CF0
0x
CF8
0x
DBC
0x
DE0
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0027dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00372fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| 517847183.tmp | 0x00400000 | 0x00eb8fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x00f80000 | 0x00f82fff | Memory Mapped File | r |
|
|
|
- |
| wshqos.dll | 0x00f80000 | 0x00f87fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0118ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01317fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x014a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x028affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x029c0000 | 0x02cf6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x0336efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x12efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000012f00000 | 0x12f00000 | 0x332fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000012f00000 | 0x12f00000 | 0x12ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000013000000 | 0x13000000 | 0x32ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033000000 | 0x33000000 | 0x330fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033100000 | 0x33100000 | 0x331fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033200000 | 0x33200000 | 0x3323ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033240000 | 0x33240000 | 0x3333ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033340000 | 0x33340000 | 0x3337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033380000 | 0x33380000 | 0x3347ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll | 0x33480000 | 0x334cdfff | Memory Mapped File | r |
|
|
|
- |
| wshqos.dll.mui | 0x33480000 | 0x33480fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000033480000 | 0x33480000 | 0x334bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000334c0000 | 0x334c0000 | 0x335bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000335c0000 | 0x335c0000 | 0x3366ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000033670000 | 0x33670000 | 0x336affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000336b0000 | 0x336b0000 | 0x336effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x72790000 | 0x727d5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x727e0000 | 0x727e7fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x727f0000 | 0x7281ffff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x72820000 | 0x72827fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x72830000 | 0x728b3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x72940000 | 0x7298dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x72990000 | 0x729befff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x729c0000 | 0x729dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x729e0000 | 0x729f2fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x72a00000 | 0x72a07fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73d40000 | 0x73d60fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73d70000 | 0x73d92fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73da0000 | 0x73dc3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74490000 | 0x74521fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x74880000 | 0x749f4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x74d30000 | 0x74d8bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77070000 | 0x7707dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77080000 | 0x770b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x770c0000 | 0x770c6fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1 | 18.00 KB |
MD5:
b22b1727c127485e970296265351b582
SHA1: c6f71441e5709ae15583c60ab9f839190b08f59f SHA256: c6454fe10eaa9e375ee46ed82a2c851f1adae49061234f48c80135bbd17f0f7f SSDeep: 48:gz+JH3yJUhJCVE9V8FsXhFlNU1V6kxqW:HJH3FC2V8uRFleq |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1 | 68.00 KB |
MD5:
844cec6a8e7c5513034fc125fc54b803
SHA1: f92eb4fb1df0ceb51b862443ae04f48bac51c9d3 SHA256: 8aee391a40e74ff388cf53f5360e1d38793d4573b9f49e21e607ed3b6428b809 SSDeep: 96:VtyNQIoYnMvqyWx7pnqH+w/fVIrECuKdPraBdUDBBVWqwmKT/WTPepeWbtxYMxCc:rlkMvuzzTP6btttlhS+3 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt | 0.92 KB |
MD5:
83af5f4c5f75035b99d0ea54f283743d
SHA1: ff284abdf4d494cb38b98bb29ab7c0eb01a576b2 SHA256: adb6d362bfa54dec0438fd4605f8cc999c4ef5a88d969091032371b3e1c61040 SSDeep: 24:5hgb4FV2EnwDHAXLQQLQQPMw4ORRiv+8bAJpVGkz+b1:SWof2LQQLQQFtRRi8JTGQe |
|
|
| C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1 | 13.00 KB |
MD5:
238396aae89ede96ac12f6ebe90f36e4
SHA1: 38b7167e1add52c84f9c160694554b4d5891f9d9 SHA256: c23537b8da96bf92eb88380d6b311bc397ddf02328aefd2c64f08af132cf1882 SSDeep: 96:WanSNDXhnQSMqD679/OJm0qZwO8WIjNgIbFrjunl:WRhXyb3fcBvZOl |
|
|
Threads
Thread 0xb80
575
8
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = USER32.dll, base_address = 0x76c70000 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x77550000 |
|
1 | |
| Module | Load | module_name = NTDLL.dll, base_address = 0x776b0000 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:21:46 (Local Time) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Wine |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x74f5a410 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = winmm.dll, base_address = 0x73da0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winmm.dll, function = timeGetTime, address_out = 0x73da3a10 |
|
1 | |
| System | Sleep | duration = 50 milliseconds (0.050 seconds) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Module | Load | module_name = NTDLL, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtOpenThread, address_out = 0x77719d70 |
|
1 | |
| Module | Load | module_name = winmm.dll, base_address = 0x73da0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\winmm.dll, function = timeGetTime, address_out = 0x73da3a10 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000, value_name = DriverDesc, data = 77 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Hardware\description\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Hardware\description\System, value_name = SystemBiosVersion, data = 76 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Hardware\description\System, value_name = VideoBiosVersion, data = 76 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Hardware\description\System, value_name = SystemBiosVersion, data = 76 |
|
1 | |
| Window | Find | class_name = FilemonClass |
|
1 | |
| Window | Find | window_name = File Monitor - Sysinternals: www.sysinternals.com |
|
1 | |
| Window | Find | class_name = PROCMON_WINDOW_CLASS |
|
1 | |
| Window | Find | window_name = Process Monitor - Sysinternals: www.sysinternals.com |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Window | Find | class_name = RegmonClass |
|
1 | |
| Window | Find | window_name = Registry Monitor - Sysinternals: www.sysinternals.com |
|
1 | |
| Window | Find | class_name = 18467-41 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = dateinj01.dll, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = cmdvrt32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = SbieDll.dll, base_address = 0x0 |
|
1 | |
| Module | Get Filename | module_name = SbieDll.dll, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\517847183.tmp, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp, size = 256 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x776eda90 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x76f20000 |
|
1 | |
| Module | Load | module_name = winmm.dll, base_address = 0x73da0000 |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x74d30000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:21:53 (Local Time) |
|
1 | |
| Window | Find | class_name = FilemonClass |
|
1 | |
| Window | Find | window_name = File Monitor - Sysinternals: www.sysinternals.com |
|
1 | |
| Window | Find | class_name = PROCMON_WINDOW_CLASS |
|
1 | |
| Window | Find | window_name = Process Monitor - Sysinternals: www.sysinternals.com |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77718f40 |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 |
|
9 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x776eda90 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = AddDllDirectory, address_out = 0x752be9e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = AddVectoredContinueHandler, address_out = 0x77759670 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetQueuedCompletionStatusEx, address_out = 0x74f81320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x74f57920 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x77550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = SystemFunction036, address_out = 0x747b2530 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x776b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtWaitForSingleObject, address_out = 0x77718c00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = wine_get_version, address_out = 0x0 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74f65f50 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x74d30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAStartup, address_out = 0x74d42420 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CancelIoEx, address_out = 0x74f5ebd0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileCompletionNotificationModes, address_out = 0x74f64810 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAEnumProtocolsW, address_out = 0x74d45b50 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x74f66870 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x74f5a4b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74f59540 |
|
1 | |
| Environment | Get Environment String | name = GODEBUG |
|
1 | |
| Environment | Get Environment String | name = DEBUG_HTTP2_GOROUTINES |
|
1 | |
| Environment | Get Environment String | name = GODEBUG |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x74f5a060 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74f65f50 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\CIiHmnxMn6Ps |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x77550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7756ed80 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\\Valve\\Steam |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x7756ed60 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\\Valve\\Steam, value_name = steampath, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7756efa0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\\Classes\\tdesktop.tg\\shell\\open\\command |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\\Classes\\tdesktop.tg\\shell\\open\\command, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x74f66150 |
|
1 | |
| File | Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\ |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesExW, address_out = 0x74f66330 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Chromium\\User Data\\, type = file_attributes |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74f66250 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Uran\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Chromodo\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google (x86)\\Chrome\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Comodo\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\K-Melon\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Nichrome\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, type = file_attributes |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74f66180 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x74f66390 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, type = file_type |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x74f66350 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, type = attributes,time,size,volserialno |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74f664a0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, size = 18944, size_out = 18432 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Login Data, size = 512, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74f65f20 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74f66590 |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\LoginData1, size = 18432 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\LoginData1, size = 2048, size_out = 2048 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_logins.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_logins.txt, size = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, type = attributes,time,size,volserialno |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, size = 13824, size_out = 13312 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies, size = 512, size_out = 0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Cookies1, size = 13312 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, size = 1024, size_out = 1024 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, size = 1024, size_out = 1024 |
|
2 | |
| Module | Load | module_name = Crypt32.dll, base_address = 0x74880000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x748caf50 |
|
1 | |
| Module | Load | module_name = Kernel32.dll, base_address = 0x74f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x74f587c0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies1, size = 1024, size_out = 1024 |
|
4 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_cookie.txt, size = 940 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, type = attributes,time,size,volserialno |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, size = 70144, size_out = 69632 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data, size = 512, size_out = 0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\\Web Data1, size = 69632 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
4 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-journal, type = file_attributes |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 16, size_out = 16 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1-wal, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data1, size = 2048, size_out = 2048 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_ccdata.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\google_chrome_default_ccdata.txt, size = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Opera Stable\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Opera Software\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Kometa\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Orbitum\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Amigo\\User\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Torch\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\360Browser\\Browser\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Vivaldi\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Sputnik\\Sputnik\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Maxthon3\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\CocCoc\\Browser\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Local\\Comodo\\Dragon\\User Data\\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\Desktop\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\\Desktop\ |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x74f66290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74f661d0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\18jnma3B6wuLf95.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\2SdJFUJ3QcigRje1.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\2mJtsm60nn2j5QJsI.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\DWBGUTID.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\FGITMr.avi, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\HWDisbS1QNhaWpm.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\J-k6n.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\KBf9mkpw7.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\7bp3AQu3i4dy1.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\8j7q3kHOQ.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\KJ11.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\SNlWtxM6kYgAQev78.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\T5HEfd16HKMZ.avi, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\RFPCBqkh_x.mkv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\KTZ9.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\XvvcPoLwXH0.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\r pCdnKEWp6D51EeOX 1.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\rd0rKyb.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\U80VGJPNM.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\WozKdnD.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Ww-dQfUi.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\gCgINgfUhblgdtEy0U.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\gF- u.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\hBtwHSisB60-Xgcl.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\hJ-x23vCcYTp8Kc6U.csv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\htSGnnW4JpPCITcKP2.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\jWzINLZVsoiWer2ST.mp3, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\jgZ4.pdf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\kvAy_.wav, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\ANRt9-FGo-n4CEbi.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\IPJ s0JVt.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\Lehz0J.wav, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\CxWh-xBX1wCvo72wky.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\YWXL.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\gJjRqPmSBkBkWg.mp4, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\nn8SdT3X3elZEs.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\4fQnrkTzw96p.xls, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\_N7lr 3CQR5J7iZRE LH.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\u_p4zMGHb0kifah6_u.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\vzjDwRP82awwx8-.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mc 5AFKDPYEmc3MLPj.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\qKGT5tsYg3Y4-2.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\qqlRDHBXtHhZ.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\tXvmVTqXXNByY05.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\z_3Kra5cmE57PxsVB5.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\zqsB0mfxVN2YzK.mkv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\0gXXaUFM0-oK8ASWVeB2.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\474Aa-gWj7KzBTd.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\4FDCScX 2-THZ.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\AOOPjkYG.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Jw m_Mb8OQ9Wq.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Jxv-rzXyEE19FAyQX M9.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\KwryMsWE5_ey2mlC6PT.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\LqzHI0iYpnfWYJs_8l.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Music, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Pictures, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private\folder.ico, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\-3fAJrCVRX8Z_.pdf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\2zz6XD.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\M88XZ_9wxNc7qto8l9A.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\YgeNEaLqCMGtQe2U.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\ff4vv.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\7Y2KU.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\Fu4M.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\VH h8C1yZasfM.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Vl6bQQ.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\WFkwOdvoA7Vk.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\X9PEQy53-SCiln9P3.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\_ujogiH.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\bDORZAiJr.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\cKtMEtjnjEDfMU zbt6j.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\ca9SVssXOq.ppt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\k0tYWAc4dttDx3JlJZkG.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\krFCKYCSAG9moR.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\mopisQ6oP.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\J0tU_uAif-0.csv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\YaSOjCr.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\eSl6PLPg.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\zWJfCn63h.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\s0_cMgCwVuXzkTaEQg.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\swHXblMQ.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\Sw_iOiUInGypOnydn.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\fVI5YTPfuh.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\pAJfw48xGeJZG-0b.rtf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\vZDFl6zVO0pP.rtf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\JxlVX0MRaEd hFblBqQd.xls, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\LZS2R4KdG.odp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\PCTUmYJVI.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\RaI9fNRmP vymY.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\M5TeHLkrBV3p\oTa7wOUOPb3nj3.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\MM8.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\NYCSLit_gX_h1xe.odp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\bdDE.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\cXcMGyPbl.ppt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\j1cn9NvnJH9.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\sNxcAApPrgIsmmQkx.xls, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\wgc9Z7T.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\yVa67kWGu4a5d29.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\0xI5fMN1PN\MZ-9QigFKDnFEHDX5Rf.xls, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\Gzsosc\AN-9MFF84r4wx4rFhO4.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\3jjrzMl0 vUKj2POJT0\sNwfmXP-WKMx-mH.rtf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\G9cdn4hkzfdlc2XWfx7.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\dZBwx8S4Mnz.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\vzsx2\s1gZwO.odp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\18jnma3B6wuLf95.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\2SdJFUJ3QcigRje1.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\2mJtsm60nn2j5QJsI.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\DWBGUTID.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\FGITMr.avi, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\HWDisbS1QNhaWpm.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\J-k6n.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\KBf9mkpw7.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\7bp3AQu3i4dy1.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\8j7q3kHOQ.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\KJ11.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\SNlWtxM6kYgAQev78.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\PxEr\T5HEfd16HKMZ.avi, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\RFPCBqkh_x.mkv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\KTZ9.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\XvvcPoLwXH0.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\r pCdnKEWp6D51EeOX 1.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\S4Q3cA0WBPl6X\rd0rKyb.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\U80VGJPNM.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\WozKdnD.swf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Ww-dQfUi.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Zero_Two.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\gCgINgfUhblgdtEy0U.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\gF- u.flv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\hBtwHSisB60-Xgcl.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\hJ-x23vCcYTp8Kc6U.csv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\htSGnnW4JpPCITcKP2.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\jWzINLZVsoiWer2ST.mp3, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\jgZ4.pdf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\kvAy_.wav, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\ANRt9-FGo-n4CEbi.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\IPJ s0JVt.jpg, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\l394\Lehz0J.wav, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\CxWh-xBX1wCvo72wky.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\YWXL.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\gJjRqPmSBkBkWg.mp4, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\nn8SdT3X3elZEs.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\4fQnrkTzw96p.xls, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\_N7lr 3CQR5J7iZRE LH.bmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\u_p4zMGHb0kifah6_u.png, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mFH_98lXfoVAf-9M\rd0gXUDUAcACs\vzjDwRP82awwx8-.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\mc 5AFKDPYEmc3MLPj.gif, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\qKGT5tsYg3Y4-2.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\qqlRDHBXtHhZ.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\tXvmVTqXXNByY05.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\z_3Kra5cmE57PxsVB5.m4a, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\zqsB0mfxVN2YzK.mkv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\0gXXaUFM0-oK8ASWVeB2.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\474Aa-gWj7KzBTd.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\4FDCScX 2-THZ.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\AOOPjkYG.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Jw m_Mb8OQ9Wq.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Jxv-rzXyEE19FAyQX M9.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\KwryMsWE5_ey2mlC6PT.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\LqzHI0iYpnfWYJs_8l.pps, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Music, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Music, file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Music, type = attributes,time,size,volserialno |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Pictures, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Pictures, file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Pictures, type = attributes,time,size,volserialno |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\_private\folder.ico, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos, file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos, type = attributes,time,size,volserialno |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\OneNote Notebooks\My Notebook\Quick Notes.one, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\-3fAJrCVRX8Z_.pdf, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\2zz6XD.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\M88XZ_9wxNc7qto8l9A.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\YgeNEaLqCMGtQe2U.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Oqg3kW8P6jKJo_Usv\ff4vv.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\7Y2KU.odt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\T1aUiNcB6vFXJ--CGqod\Fu4M.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\VH h8C1yZasfM.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\Vl6bQQ.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\WFkwOdvoA7Vk.doc, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\X9PEQy53-SCiln9P3.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\_ujogiH.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\bDORZAiJr.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\cKtMEtjnjEDfMU zbt6j.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\ca9SVssXOq.ppt, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\k0tYWAc4dttDx3JlJZkG.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\krFCKYCSAG9moR.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\mopisQ6oP.pptx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\J0tU_uAif-0.csv, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\YaSOjCr.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\eSl6PLPg.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\qt3bnoZWo2hd8JC\zWJfCn63h.ots, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\s0_cMgCwVuXzkTaEQg.docx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\swHXblMQ.xlsx, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\Sw_iOiUInGypOnydn.ods, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Documents\tCIBbqQlETcBgm4LZJco\26GucFoE\fVI5YTPfuh.docx, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins/, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Desktop/, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt, type = attributes,time,size,volserialno |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_ccdata.txt, size = 512, size_out = 0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt, type = attributes,time,size,volserialno |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt, size = 1452, size_out = 940 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_cookie.txt, size = 512, size_out = 0 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt, type = file_type |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt, type = attributes,time,size,volserialno |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\google_chrome_default_logins.txt, size = 512, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\Documents\My Videos, size = 1044 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x77570730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x77570df0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip, size = 32768, size_out = 1044 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uy3novuytt14.zip, size = 32768, size_out = 0 |
|
1 | |
| Environment | Get Environment String | name = GODEBUG |
|
1 | |
| Environment | Get Environment String | name = HTTP_PROXY |
|
1 | |
| Environment | Get Environment String | name = http_proxy |
|
1 | |
| Environment | Get Environment String | name = HTTPS_PROXY |
|
1 | |
| Environment | Get Environment String | name = https_proxy |
|
1 | |
| Environment | Get Environment String | name = NO_PROXY |
|
1 | |
| Environment | Get Environment String | name = no_proxy |
|
1 | |
| Environment | Get Environment String | name = REQUEST_METHOD |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = GetAddrInfoW, address_out = 0x74d39d90 |
|
1 | |
| DNS | Resolve Name | host = u2884418ra.ha002.t.justns.ru, address_out = 185.22.155.227 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = FreeAddrInfoW, address_out = 0x74d34b00 |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x74d30000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASocketW, address_out = 0x74d398a0 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = setsockopt, address_out = 0x74d39560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = bind, address_out = 0x74d3e0f0 |
|
1 | |
| Socket | Bind | protocol = IPPROTO_IP, local_address = 0.0.0.0, local_port = 49428, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = socket, address_out = 0x74d39780 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSAIoctl, address_out = 0x74d3dca0 |
|
1 | |
| Socket | Connect | remote_address = 185.22.155.227, remote_port = 80 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = getsockname, address_out = 0x74d3e030 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = getpeername, address_out = 0x74d412c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecv, address_out = 0x74d3d6c0 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 321560628 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = WSASend, address_out = 0x74d3d530 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size_out = 1579 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ws2_32.dll, function = closesocket, address_out = 0x74d39ba0 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 |
Thread 0xcf0
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xcf8
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xdbc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xde0
45
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = APPDATA, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming |
|
2 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\recentservers.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla\sitemanager.xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\zgk6mujwue41\Coins\ |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Florincoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\GoldCoin (GLD)\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Infinitecoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ethereum\\keystore, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\seed.seco, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\ElectronCash\\wallets\\default_wallet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Zcash\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Megacoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\MultiDoge\\multidoge.wallet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\devcoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\digitalcoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Franko\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Primecoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum\\wallets\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\ethereum wallet\\keystore, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\monero-project\\wallets\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Litecoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Namecoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\mSIGNA_Bitcoin\\wallets\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\exodus.wallet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\BBQCoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Freicoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ethereum Wallet\\keystore, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Anoncoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Mincoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum\\wallets\\default_wallet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Electrum-LTC\\wallets\\default_wallet, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\IOCoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\YACoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Armory\\wallets\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\monero-project\\keystore, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Bitcoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Ixcoin\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Bitcoin\\wallets\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Exodus\\passphrase.json, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\DashCore\\wallet.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\\AppData\\Roaming\\Terracoin\\wallet.dat, type = file_attributes |
|
1 |
Thread 0xddc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Process #8: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn WinRun /tr "C:/ProgramData/WinSys.exe" /sc minute /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde4 |
| Parent PID | 0xc10 (c:\users\ciihmnxmn6ps\desktop\zero_two.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB4
0x
860
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00bbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c4ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00c50000 | 0x00c62fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x00f40000 | 0x00f71fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05120000 | 0x05456fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x729e0000 | 0x72a0cfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x73d40000 | 0x73dcbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee84000 | 0x7ee84000 | 0x7ee84fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee85000 | 0x7ee85000 | 0x7ee85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8a000 | 0x7ee8a000 | 0x7ee8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee8d000 | 0x7ee8d000 | 0x7ee8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xdb4
13
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\schtasks.exe, base_address = 0xf40000 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:22:03 (Local Time) |
|
2 | |
| COM | Create | interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:22:04 (Local Time) |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 68 |
|
1 |
Process #10: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn SystemUpdate /tr "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe" /sc hourly /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xc10 (c:\users\ciihmnxmn6ps\desktop\zero_two.tmp) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
55C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002c0000 | 0x002c0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00303fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x00440000 | 0x00452fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00470000 | 0x0052dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00810000 | 0x00b46fff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe | 0x00f40000 | 0x00f71fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x04f7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x729e0000 | 0x72a0cfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x73d40000 | 0x73dcbfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76fe0000 | 0x77061fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9d0000 | 0x7e9d0000 | 0x7eacffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ead0000 | 0x7ead0000 | 0x7eaf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eaf7000 | 0x7eaf7000 | 0x7eaf7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaf8000 | 0x7eaf8000 | 0x7eafafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eafb000 | 0x7eafb000 | 0x7eafbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eafd000 | 0x7eafd000 | 0x7eafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc57b4ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfc57b50000 | 0x7dfc57b50000 | 0x7ffc57b4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0x2ec
13
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\schtasks.exe, base_address = 0xf40000 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:22:03 (Local Time) |
|
2 | |
| COM | Create | interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = Local Time, time = 2019-01-26 13:22:03 (Local Time) |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 74 |
|
1 |
Process #12: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:28 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x324 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
DB8
0x
CFC
0x
DCC
0x
D28
0x
D30
0x
D04
0x
D08
0x
CD8
0x
A94
0x
CC4
0x
AF4
0x
65C
0x
7A0
0x
FB8
0x
F58
0x
F50
0x
F44
0x
E1C
0x
E18
0x
E14
0x
E10
0x
E08
0x
E04
0x
D4C
0x
D48
0x
D3C
0x
87C
0x
6D8
0x
24C
0x
8B4
0x
8B0
0x
894
0x
864
0x
43C
0x
7A8
0x
778
0x
758
0x
750
0x
73C
0x
734
0x
730
0x
72C
0x
700
0x
6FC
0x
64C
0x
634
0x
624
0x
604
0x
600
0x
5F8
0x
5F0
0x
5EC
0x
5E8
0x
5E0
0x
5CC
0x
5C8
0x
5B4
0x
5B0
0x
594
0x
590
0x
574
0x
50C
0x
40C
0x
374
0x
140
0x
18C
0x
14C
0x
FC
0x
F8
0x
F4
0x
3FC
0x
3EC
0x
3E8
0x
3E0
0x
3D0
0x
3CC
0x
3C8
0x
3B8
0x
390
0x
328
0x
248
0x
910
0x
3DC
0x
A68
0x
7FC
0x
A90
0x
AD4
0x
15C
0x
C08
0x
C20
0x
C24
0x
5C0
0x
8CC
0x
DA4
0x
618
0x
4D0
0x
8AC
0x
F34
0x
F7C
0x
F48
0x
F3C
0x
E58
0x
790
0x
C34
0x
41C
0x
CCC
0x
DF4
0x
D20
0x
820
0x
DF0
0x
AE4
0x
D1C
0x
FB0
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b42eea0000 | 0xb42eea0000 | 0xb42eeaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb42eeb0000 | 0xb42eeb0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42eec0000 | 0xb42eec0000 | 0xb42eed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42eee0000 | 0xb42eee0000 | 0xb42ef5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42ef60000 | 0xb42ef60000 | 0xb42ef63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42ef70000 | 0xb42ef70000 | 0xb42ef70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42ef80000 | 0xb42ef80000 | 0xb42ef81fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42ef90000 | 0xb42ef90000 | 0xb42f00ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f010000 | 0xb42f010000 | 0xb42f016fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb42f020000 | 0xb42f0ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f0e0000 | 0xb42f0e0000 | 0xb42f0e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f0f0000 | 0xb42f0f0000 | 0xb42f0f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f100000 | 0xb42f100000 | 0xb42f1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f200000 | 0xb42f200000 | 0xb42f2bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2c0000 | 0xb42f2c0000 | 0xb42f2c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f2d0000 | 0xb42f2d0000 | 0xb42f2d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f2e0000 | 0xb42f2e0000 | 0xb42f2e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f2f0000 | 0xb42f2f0000 | 0xb42f2f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f300000 | 0xb42f300000 | 0xb42f3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f400000 | 0xb42f400000 | 0xb42f587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f590000 | 0xb42f590000 | 0xb42f710fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f720000 | 0xb42f720000 | 0xb42f79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42f7a0000 | 0xb42f7a0000 | 0xb42f81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f820000 | 0xb42f820000 | 0xb42f820fff | Pagefile Backed Memory | rw |
|
|
|
- |
| iphlpsvc.dll.mui | 0xb42f830000 | 0xb42f83cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f840000 | 0xb42f843fff | Memory Mapped File | r |
|
|
|
- |
| gpsvc.dll.mui | 0xb42f850000 | 0xb42f85cfff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb42f860000 | 0xb42f863fff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0xb42f870000 | 0xb42f880fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42f890000 | 0xb42f890000 | 0xb42f896fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8a0000 | 0xb42f8a0000 | 0xb42f8a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b42f8b0000 | 0xb42f8b0000 | 0xb42f8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b42f8c0000 | 0xb42f8c0000 | 0xb42f8c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b42f8d0000 | 0xb42f8d0000 | 0xb42f8d6fff | Private Memory | rw |
|
|
|
- |
| activeds.dll.mui | 0xb42f8e0000 | 0xb42f8e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b42f8f0000 | 0xb42f8f0000 | 0xb42f8f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b42f900000 | 0xb42f900000 | 0xb42f9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fa00000 | 0xb42fa00000 | 0xb42fafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b42fb00000 | 0xb42fb00000 | 0xb42fbfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb42fc00000 | 0xb42ff36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b42ff40000 | 0xb42ff40000 | 0xb43003ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430040000 | 0xb430040000 | 0xb43013ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430140000 | 0xb430140000 | 0xb43023ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430240000 | 0xb430240000 | 0xb43033ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430340000 | 0xb430340000 | 0xb4303bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4303c0000 | 0xb4303c0000 | 0xb4303c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0xb4303d0000 | 0xb4303d8fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xb4303e0000 | 0xb4303e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xb4303f0000 | 0xb4303fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b430400000 | 0xb430400000 | 0xb4304fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430500000 | 0xb430500000 | 0xb4305fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xb430600000 | 0xb43068afff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xb430690000 | 0xb430692fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b4306a0000 | 0xb4306a0000 | 0xb4306a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b4306b0000 | 0xb4306b0000 | 0xb4306b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| newdev.dll.mui | 0xb4306c0000 | 0xb4306c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4306d0000 | 0xb4306d0000 | 0xb4306d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4306e0000 | 0xb4306e0000 | 0xb4306e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b4306f0000 | 0xb4306f0000 | 0xb4306f7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430700000 | 0xb430700000 | 0xb4307fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430800000 | 0xb430800000 | 0xb4308fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430900000 | 0xb430900000 | 0xb43097ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0xb430980000 | 0xb4309c2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4309d0000 | 0xb4309d0000 | 0xb430a10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a20000 | 0xb430a20000 | 0xb430a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a30000 | 0xb430a30000 | 0xb430a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a40000 | 0xb430a40000 | 0xb430a40fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a50000 | 0xb430a50000 | 0xb430a50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a60000 | 0xb430a60000 | 0xb430a66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a70000 | 0xb430a70000 | 0xb430a73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430a80000 | 0xb430a80000 | 0xb430b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430b80000 | 0xb430b80000 | 0xb430c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430c80000 | 0xb430c80000 | 0xb430cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430d00000 | 0xb430d00000 | 0xb430dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430e00000 | 0xb430e00000 | 0xb430efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b430f00000 | 0xb430f00000 | 0xb430ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431000000 | 0xb431000000 | 0xb4310fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431100000 | 0xb431100000 | 0xb4311fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431200000 | 0xb431200000 | 0xb4312fffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb431300000 | 0xb43130ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431310000 | 0xb43131ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431320000 | 0xb43132ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431330000 | 0xb43133ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431340000 | 0xb43134ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431350000 | 0xb43135ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431360000 | 0xb43136ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431370000 | 0xb43137ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b431380000 | 0xb431380000 | 0xb43147ffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xb431480000 | 0xb43148ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb431490000 | 0xb43149ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314a0000 | 0xb4314affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314b0000 | 0xb4314bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314c0000 | 0xb4314cffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314d0000 | 0xb4314dffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314e0000 | 0xb4314effff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb4314f0000 | 0xb4314fffff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0xb431500000 | 0xb4315defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4315e0000 | 0xb4315e0000 | 0xb4315e1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b4315f0000 | 0xb4315f0000 | 0xb4315f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431600000 | 0xb431600000 | 0xb4316fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431700000 | 0xb431700000 | 0xb43177ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431780000 | 0xb431780000 | 0xb43187ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431880000 | 0xb431880000 | 0xb43197ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431980000 | 0xb431980000 | 0xb43198ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431990000 | 0xb431990000 | 0xb431a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b431a90000 | 0xb431a90000 | 0xb431a9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431aa0000 | 0xb431aa0000 | 0xb431aaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ab0000 | 0xb431ab0000 | 0xb431abffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ac0000 | 0xb431ac0000 | 0xb431acffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ad0000 | 0xb431ad0000 | 0xb431adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b431ae0000 | 0xb431ae0000 | 0xb431aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b431af0000 | 0xb431af0000 | 0xb431af7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b00000 | 0xb431b00000 | 0xb431b06fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431b10000 | 0xb431b10000 | 0xb431c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431c10000 | 0xb431c10000 | 0xb431c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431c90000 | 0xb431c90000 | 0xb431d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431d90000 | 0xb431d90000 | 0xb431e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431e10000 | 0xb431e10000 | 0xb431f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f10000 | 0xb431f10000 | 0xb431f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b431f90000 | 0xb431f90000 | 0xb43200ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432010000 | 0xb432010000 | 0xb43208ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432090000 | 0xb432090000 | 0xb43210ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432110000 | 0xb432110000 | 0xb43220ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432210000 | 0xb432210000 | 0xb43230ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432310000 | 0xb432310000 | 0xb43240ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432410000 | 0xb432410000 | 0xb43248ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432490000 | 0xb432490000 | 0xb43258ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432590000 | 0xb432590000 | 0xb43268ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432690000 | 0xb432690000 | 0xb43278ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432790000 | 0xb432790000 | 0xb43288ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432890000 | 0xb432890000 | 0xb43290ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b432910000 | 0xb432910000 | 0xb43295cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| datastore.edb | 0xb432960000 | 0xb43296ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b432970000 | 0xb432970000 | 0xb432976fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432980000 | 0xb432980000 | 0xb432a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432a80000 | 0xb432a80000 | 0xb432afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432b00000 | 0xb432b00000 | 0xb432bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432c00000 | 0xb432c00000 | 0xb432cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432d00000 | 0xb432d00000 | 0xb432dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b432e00000 | 0xb432e00000 | 0xb432e7ffff | Private Memory | rw |
|
|
|
- |
| dosvc.dll.mui | 0xb432e80000 | 0xb432e80fff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432e90000 | 0xb432e9ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ea0000 | 0xb432eaffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432eb0000 | 0xb432ebffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xb432ec0000 | 0xb432ecffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b432ed0000 | 0xb432ed0000 | 0xb432ed1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| datastore.edb | 0xb432ee0000 | 0xb432eeffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b432ef0000 | 0xb432ef0000 | 0xb432ef1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b432f00000 | 0xb432f00000 | 0xb432ffffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 409 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #13: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A60
0x
A8C
0x
9EC
0x
1E0
0x
2F0
0x
6D0
0x
620
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0114ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01161fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01170000 | 0x0122dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0126ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x01270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x0129ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012affff | Private Memory | - |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x012effff | Private Memory | - |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x01300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0143ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0147ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x014bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x014dffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x014e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000014f0000 | 0x014f0000 | 0x014fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x015fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001600000 | 0x01600000 | 0x0169ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016a0000 | 0x016a0000 | 0x016affff | Private Memory | - |
|
|
|
- |
| private_0x00000000016b0000 | 0x016b0000 | 0x016bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016c0000 | 0x016c0000 | 0x016cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000016d0000 | 0x016d0000 | 0x016dffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000016e0000 | 0x016e0000 | 0x0171ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001720000 | 0x01720000 | 0x0172ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001730000 | 0x01730000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001740000 | 0x01740000 | 0x01740fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x0175ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001760000 | 0x01760000 | 0x018e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000018f0000 | 0x018f0000 | 0x01a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001a80000 | 0x01a80000 | 0x02e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05080000 | 0x053b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x054fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0556ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x055bffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000055c0000 | 0x055c0000 | 0x065bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065c0000 | 0x065c0000 | 0x066effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000066f0000 | 0x066f0000 | 0x076effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000076f0000 | 0x076f0000 | 0x0793ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007940000 | 0x07940000 | 0x0893ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008940000 | 0x08940000 | 0x0993ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009940000 | 0x09940000 | 0x0a93ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a940000 | 0x0a940000 | 0x0aa3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000000aa40000 | 0x0aa40000 | 0x0ab3ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x0afe0000 | 0x0b477fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x746b0000 | 0x74740fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007eb24000 | 0x7eb24000 | 0x7eb26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb27000 | 0x7eb27000 | 0x7eb29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2a000 | 0x7eb2a000 | 0x7eb2cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2d000 | 0x7eb2d000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7ec2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ec52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec53000 | 0x7ec53000 | 0x7ec53fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec56000 | 0x7ec56000 | 0x7ec58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec59000 | 0x7ec59000 | 0x7ec5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5c000 | 0x7ec5c000 | 0x7ec5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5f000 | 0x7ec5f000 | 0x7ec5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xa60
7
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = COR_ENABLE_PROFILING |
|
1 | |
| File | Get Info | filename = C:\ProgramData\WinSys.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe, type = file_attributes |
|
1 | |
| Mutex | Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Thread 0x6d0
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Thread 0x620
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
Process #14: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee0 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
EF0
0x
EF8
0x
ED4
0x
ECC
0x
F54
0x
F4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d905f10000 | 0xd905f10000 | 0xd905f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905f10000 | 0xd905f10000 | 0xd905f1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d905f20000 | 0xd905f20000 | 0xd905f26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905f30000 | 0xd905f30000 | 0xd905f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d905f50000 | 0xd905f50000 | 0xd905fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d905fd0000 | 0xd905fd0000 | 0xd905fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d905fe0000 | 0xd905fe0000 | 0xd905fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d905ff0000 | 0xd905ff0000 | 0xd905ff1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd906000000 | 0xd9060bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d9060c0000 | 0xd9060c0000 | 0xd90613ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906140000 | 0xd906140000 | 0xd906146fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906150000 | 0xd906150000 | 0xd906150fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906160000 | 0xd906160000 | 0xd906160fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d906170000 | 0xd906170000 | 0xd906170fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d906180000 | 0xd906180000 | 0xd906180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d906190000 | 0xd906190000 | 0xd90628ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906290000 | 0xd906290000 | 0xd90630ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906370000 | 0xd906370000 | 0xd90637ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d906380000 | 0xd906380000 | 0xd906507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d906510000 | 0xd906510000 | 0xd906690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d9066a0000 | 0xd9066a0000 | 0xd90675ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xd906760000 | 0xd906a96fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d906aa0000 | 0xd906aa0000 | 0xd906b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906b20000 | 0xd906b20000 | 0xd906b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d906ba0000 | 0xd906ba0000 | 0xd906c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fffc0000 | 0x7df5fffc0000 | 0x7ff5fffbffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6673a0000 | 0x7ff6673a0000 | 0x7ff66749ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6674a0000 | 0x7ff6674a0000 | 0x7ff6674c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6674c3000 | 0x7ff6674c3000 | 0x7ff6674c4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c5000 | 0x7ff6674c5000 | 0x7ff6674c6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c7000 | 0x7ff6674c7000 | 0x7ff6674c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674c9000 | 0x7ff6674c9000 | 0x7ff6674cafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674cb000 | 0x7ff6674cb000 | 0x7ff6674ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674cd000 | 0x7ff6674cd000 | 0x7ff6674cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6674ce000 | 0x7ff6674ce000 | 0x7ff6674cffff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff667b90000 | 0x7ff667bbefff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffc496f0000 | 0x7ffc49703fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffc49710000 | 0x7ffc49807fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffc4a370000 | 0x7ffc4a380fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffc4d910000 | 0x7ffc4d98efff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ffc50610000 | 0x7ffc50634fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffc57a20000 | 0x7ffc57a27fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #17: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c0 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F78
0x
F74
0x
F64
0x
F6C
0x
FE4
0x
F70
0x
F80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01200000 | 0x012bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x013fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001400000 | 0x01400000 | 0x0140ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0145ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001460000 | 0x01460000 | 0x015e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015f0000 | 0x015f0000 | 0x01770fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001780000 | 0x01780000 | 0x02b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02beffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02c8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cfffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x02e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04f30000 | 0x05266fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x052effff | Private Memory | - |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005400000 | 0x05400000 | 0x05400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x054cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x064cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064d0000 | 0x064d0000 | 0x065fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006600000 | 0x06600000 | 0x075fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007600000 | 0x07600000 | 0x0784ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007850000 | 0x07850000 | 0x0884ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008850000 | 0x08850000 | 0x0984ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009850000 | 0x09850000 | 0x0994ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009950000 | 0x09950000 | 0x09a4ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x09ef0000 | 0x0a387fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f101000 | 0x7f101000 | 0x7f103fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f104000 | 0x7f104000 | 0x7f106fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f107000 | 0x7f107000 | 0x7f109fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10a000 | 0x7f10a000 | 0x7f10cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f10d000 | 0x7f10d000 | 0x7f10ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f235000 | 0x7f235000 | 0x7f237fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f238000 | 0x7f238000 | 0x7f238fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23b000 | 0x7f23b000 | 0x7f23bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xf78
7
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = COR_ENABLE_PROFILING |
|
1 | |
| File | Get Info | filename = C:\ProgramData\WinSys.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe, type = file_attributes |
|
1 | |
| Mutex | Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Thread 0xf70
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Thread 0xf80
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
Process #18: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {15A7A4A7-8576-4E0D-8E68-775B3CBFF42F} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf2c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F40
0x
764
0x
A70
0x
C50
0x
C58
0x
C74
0x
8B8
0x
900
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007ce3620000 | 0x7ce3620000 | 0x7ce363ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce3620000 | 0x7ce3620000 | 0x7ce362ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007ce3630000 | 0x7ce3630000 | 0x7ce3636fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce3640000 | 0x7ce3640000 | 0x7ce3653fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3660000 | 0x7ce3660000 | 0x7ce36dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce36e0000 | 0x7ce36e0000 | 0x7ce36e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce36f0000 | 0x7ce36f0000 | 0x7ce36f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3700000 | 0x7ce3700000 | 0x7ce3701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7ce3710000 | 0x7ce37cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce37d0000 | 0x7ce37d0000 | 0x7ce384ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3850000 | 0x7ce3850000 | 0x7ce3856fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3860000 | 0x7ce3860000 | 0x7ce395ffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x7ce3960000 | 0x7ce3960fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce3970000 | 0x7ce3970000 | 0x7ce3970fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3980000 | 0x7ce3980000 | 0x7ce3980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3990000 | 0x7ce3990000 | 0x7ce399ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce39a0000 | 0x7ce39a0000 | 0x7ce39a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce39b0000 | 0x7ce39b0000 | 0x7ce39b6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce39e0000 | 0x7ce39e0000 | 0x7ce39effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ce39f0000 | 0x7ce39f0000 | 0x7ce3b77fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce3b80000 | 0x7ce3b80000 | 0x7ce3d00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ce3d10000 | 0x7ce3d10000 | 0x7ce3dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ce3dd0000 | 0x7ce3dd0000 | 0x7ce3e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce3e50000 | 0x7ce3e50000 | 0x7ce3f4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x7ce3f50000 | 0x7ce4286fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ce4290000 | 0x7ce4290000 | 0x7ce430ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4310000 | 0x7ce4310000 | 0x7ce438ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4390000 | 0x7ce4390000 | 0x7ce440ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007ce4410000 | 0x7ce4410000 | 0x7ce448ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff4c0000 | 0x7df5ff4c0000 | 0x7ff5ff4bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff66a38e000 | 0x7ff66a38e000 | 0x7ff66a38ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff66a390000 | 0x7ff66a390000 | 0x7ff66a48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff66a490000 | 0x7ff66a490000 | 0x7ff66a4b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff66a4b3000 | 0x7ff66a4b3000 | 0x7ff66a4b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b5000 | 0x7ff66a4b5000 | 0x7ff66a4b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b7000 | 0x7ff66a4b7000 | 0x7ff66a4b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4b9000 | 0x7ff66a4b9000 | 0x7ff66a4bafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bb000 | 0x7ff66a4bb000 | 0x7ff66a4bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bd000 | 0x7ff66a4bd000 | 0x7ff66a4befff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff66a4bf000 | 0x7ff66a4bf000 | 0x7ff66a4bffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff66ab00000 | 0x7ff66ab4cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ffc505c0000 | 0x7ffc505c8fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #19: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {1041B8A7-BFE5-4C6D-B407-C03324D5908B} S-1-5-21-1462094071-1423818996-289466292-1000:LHNIWSJ\CIiHmnxMn6Ps:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x36c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8D0
0x
C3C
0x
C70
0x
C48
0x
E24
0x
E28
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004fad200000 | 0x4fad200000 | 0x4fad21ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad200000 | 0x4fad200000 | 0x4fad20ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004fad210000 | 0x4fad210000 | 0x4fad216fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad220000 | 0x4fad220000 | 0x4fad233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad240000 | 0x4fad240000 | 0x4fad2bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad2c0000 | 0x4fad2c0000 | 0x4fad2c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fad2d0000 | 0x4fad2d0000 | 0x4fad2d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad2e0000 | 0x4fad2e0000 | 0x4fad2e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad2f0000 | 0x4fad2f0000 | 0x4fad2f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fad300000 | 0x4fad300000 | 0x4fad300fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004fad310000 | 0x4fad310000 | 0x4fad316fff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x4fad320000 | 0x4fad320fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fad330000 | 0x4fad330000 | 0x4fad42ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4fad430000 | 0x4fad4edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fad4f0000 | 0x4fad4f0000 | 0x4fad56ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad570000 | 0x4fad570000 | 0x4fad5effff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad5f0000 | 0x4fad5f0000 | 0x4fad66ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad670000 | 0x4fad670000 | 0x4fad670fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad680000 | 0x4fad680000 | 0x4fad680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad6d0000 | 0x4fad6d0000 | 0x4fad6dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad6e0000 | 0x4fad6e0000 | 0x4fad7dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad7e0000 | 0x4fad7e0000 | 0x4fad85ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fad8b0000 | 0x4fad8b0000 | 0x4fad8bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x4fad8c0000 | 0x4fadbf6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004fadc00000 | 0x4fadc00000 | 0x4fadc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004fadc80000 | 0x4fadc80000 | 0x4fadcfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004fadd00000 | 0x4fadd00000 | 0x4fade87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fade90000 | 0x4fade90000 | 0x4fae010fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004fae020000 | 0x4fae020000 | 0x4faf41ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004faf4e0000 | 0x4faf4e0000 | 0x4faf4effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0f0000 | 0x7df5ff0f0000 | 0x7ff5ff0effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff669d9c000 | 0x7ff669d9c000 | 0x7ff669d9dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669d9e000 | 0x7ff669d9e000 | 0x7ff669d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff669da0000 | 0x7ff669da0000 | 0x7ff669e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff669ea0000 | 0x7ff669ea0000 | 0x7ff669ec2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff669ec4000 | 0x7ff669ec4000 | 0x7ff669ec5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ec6000 | 0x7ff669ec6000 | 0x7ff669ec6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ec8000 | 0x7ff669ec8000 | 0x7ff669ec9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669eca000 | 0x7ff669eca000 | 0x7ff669ecbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ecc000 | 0x7ff669ecc000 | 0x7ff669ecdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff669ece000 | 0x7ff669ece000 | 0x7ff669ecffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff66ab00000 | 0x7ff66ab4cfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ffc505c0000 | 0x7ffc505c8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #20: sdxhelper.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\sdxhelper.exe |
| Command Line | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\sdxhelper.exe" /onlogon |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf28 |
| Parent PID | 0x36c (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DFC
0x
728
0x
C40
0x
D38
0x
DC0
0x
DC4
0x
D34
0x
D2C
0x
270
0x
D0
0x
224
0x
338
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000c40ba50000 | 0xc40ba50000 | 0xc40ba6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40ba50000 | 0xc40ba50000 | 0xc40ba5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c40ba60000 | 0xc40ba60000 | 0xc40ba66fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40ba70000 | 0xc40ba70000 | 0xc40ba83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40ba90000 | 0xc40ba90000 | 0xc40bb8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bb90000 | 0xc40bb90000 | 0xc40bb93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bba0000 | 0xc40bba0000 | 0xc40bba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bbb0000 | 0xc40bbb0000 | 0xc40bbb1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bbc0000 | 0xc40bbc0000 | 0xc40bbc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bbd0000 | 0xc40bbd0000 | 0xc40bbd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bbe0000 | 0xc40bbe0000 | 0xc40bbe0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bbf0000 | 0xc40bbf0000 | 0xc40bbf0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bc00000 | 0xc40bc00000 | 0xc40bc00fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40bc10000 | 0xc40bc10000 | 0xc40bc10fff | Private Memory | rw |
|
|
|
- |
| installermainshell.tlb | 0xc40bc20000 | 0xc40bc21fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c40bc30000 | 0xc40bc30000 | 0xc40bc32fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bc40000 | 0xc40bc40000 | 0xc40bc42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bc50000 | 0xc40bc50000 | 0xc40bc5ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x000000c40bc60000 | 0xc40bc60000 | 0xc40bc61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40bc70000 | 0xc40bc70000 | 0xc40bd6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc40bd70000 | 0xc40be2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40be30000 | 0xc40be30000 | 0xc40bf2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40be30000 | 0xc40be30000 | 0xc40be33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40be40000 | 0xc40be40000 | 0xc40be41fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c40be50000 | 0xc40be50000 | 0xc40be6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40be70000 | 0xc40be70000 | 0xc40bf6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bf70000 | 0xc40bf70000 | 0xc40bf70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bf80000 | 0xc40bf80000 | 0xc40bf80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bf90000 | 0xc40bf90000 | 0xc40bf90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40bfa0000 | 0xc40bfa0000 | 0xc40bfa0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xc40bfb0000 | 0xc40bfb0fff | Memory Mapped File | rw |
|
|
|
- |
| winnlsres.dll | 0xc40bfc0000 | 0xc40bfc4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xc40bfd0000 | 0xc40bfdffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40bfe0000 | 0xc40bfe0000 | 0xc40bfeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40bff0000 | 0xc40bff0000 | 0xc40c177fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40c180000 | 0xc40c180000 | 0xc40c300fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c40c310000 | 0xc40c310000 | 0xc40d70ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xc40d710000 | 0xc40da46fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40da50000 | 0xc40da50000 | 0xc40db4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c40db50000 | 0xc40db50000 | 0xc40dc07fff | Pagefile Backed Memory | r |
|
|
|
- |
| mswsock.dll.mui | 0xc40dc10000 | 0xc40dc12fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c40dc20000 | 0xc40dc20000 | 0xc40dc21fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c40dc30000 | 0xc40dc30000 | 0xc40dc3ffff | Private Memory | rw |
|
|
|
- |
| office.odf | 0xc40dc40000 | 0xc40de60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c40de70000 | 0xc40de70000 | 0xc40df6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40df70000 | 0xc40df70000 | 0xc40e06ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e070000 | 0xc40e070000 | 0xc40e16ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e170000 | 0xc40e170000 | 0xc40e26ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e270000 | 0xc40e270000 | 0xc40e36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e370000 | 0xc40e370000 | 0xc40e46ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e470000 | 0xc40e470000 | 0xc40e56ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e570000 | 0xc40e570000 | 0xc40e66ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e670000 | 0xc40e670000 | 0xc40e76ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c40e770000 | 0xc40e770000 | 0xc40e96ffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0xc40e970000 | 0xc40e979fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff400000 | 0x7df5ff400000 | 0x7ff5ff3fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff71cf56000 | 0x7ff71cf56000 | 0x7ff71cf57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf58000 | 0x7ff71cf58000 | 0x7ff71cf59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5a000 | 0x7ff71cf5a000 | 0x7ff71cf5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5c000 | 0x7ff71cf5c000 | 0x7ff71cf5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71cf5e000 | 0x7ff71cf5e000 | 0x7ff71cf5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff71cf60000 | 0x7ff71cf60000 | 0x7ff71d05ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff71d060000 | 0x7ff71d060000 | 0x7ff71d082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff71d083000 | 0x7ff71d083000 | 0x7ff71d084fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d085000 | 0x7ff71d085000 | 0x7ff71d085fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d086000 | 0x7ff71d086000 | 0x7ff71d087fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d088000 | 0x7ff71d088000 | 0x7ff71d089fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08a000 | 0x7ff71d08a000 | 0x7ff71d08bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08c000 | 0x7ff71d08c000 | 0x7ff71d08dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff71d08e000 | 0x7ff71d08e000 | 0x7ff71d08ffff | Private Memory | rw |
|
|
|
- |
| sdxhelper.exe | 0x7ff71def0000 | 0x7ff71df0efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc17bd0000 | 0x7ffc17bd0000 | 0x7ffc17bdffff | Private Memory | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7ffc3def0000 | 0x7ffc3e568fff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7ffc405e0000 | 0x7ffc40df0fff | Memory Mapped File | rwx |
|
|
|
- |
| c2r64.dll | 0x7ffc40e00000 | 0x7ffc41077fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems64.dll | 0x7ffc410e0000 | 0x7ffc41363fff | Memory Mapped File | rwx |
|
|
|
- |
| dsreg.dll | 0x7ffc46650000 | 0x7ffc466a9fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ffc4a6b0000 | 0x7ffc4a6c6fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffc4b930000 | 0x7ffc4bc6cfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.web.core.dll | 0x7ffc4cfe0000 | 0x7ffc4d08cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffc4fd60000 | 0x7ffc4fe06fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffc505a0000 | 0x7ffc505b5fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x7ffc57450000 | 0x7ffc57456fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 3 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #21: officec2rclient.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b8 |
| Parent PID | 0xf2c (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
CC8
0x
804
0x
114
0x
C44
0x
DEC
0x
318
0x
34C
0x
320
0x
274
0x
304
0x
95C
0x
56C
0x
75C
0x
FFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000055629a0000 | 0x55629a0000 | 0x55629bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000055629a0000 | 0x55629a0000 | 0x55629affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000055629b0000 | 0x55629b0000 | 0x55629b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000055629c0000 | 0x55629c0000 | 0x55629d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000055629e0000 | 0x55629e0000 | 0x5562adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562ae0000 | 0x5562ae0000 | 0x5562ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005562af0000 | 0x5562af0000 | 0x5562af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005562b00000 | 0x5562b00000 | 0x5562b01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5562b10000 | 0x5562bcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005562bd0000 | 0x5562bd0000 | 0x5562bd6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562be0000 | 0x5562be0000 | 0x5562be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562bf0000 | 0x5562bf0000 | 0x5562bf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c00000 | 0x5562c00000 | 0x5562c00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c10000 | 0x5562c10000 | 0x5562c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562c20000 | 0x5562c20000 | 0x5562c2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000005562c30000 | 0x5562c30000 | 0x5562c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562c40000 | 0x5562c40000 | 0x5562c41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005562c50000 | 0x5562c50000 | 0x5562c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005562c60000 | 0x5562c60000 | 0x5562d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562d60000 | 0x5562d60000 | 0x5562e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005562e60000 | 0x5562e60000 | 0x5562f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005562f60000 | 0x5562f60000 | 0x556301ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005563020000 | 0x5563020000 | 0x556302ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563030000 | 0x5563030000 | 0x55631b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000055631c0000 | 0x55631c0000 | 0x5563340fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x5563350000 | 0x5563686fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005563690000 | 0x5563690000 | 0x556378ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563790000 | 0x5563790000 | 0x556398ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563990000 | 0x5563990000 | 0x5563991fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000055639a0000 | 0x55639a0000 | 0x5563a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005563aa0000 | 0x5563aa0000 | 0x5563aa0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005563ab0000 | 0x5563ab0000 | 0x5563abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563ac0000 | 0x5563ac0000 | 0x5563bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563bc0000 | 0x5563bc0000 | 0x5563cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563cc0000 | 0x5563cc0000 | 0x5563dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563dc0000 | 0x5563dc0000 | 0x5563ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005563ec0000 | 0x5563ec0000 | 0x5563fbffff | Private Memory | rw |
|
|
|
- |
| counters.dat | 0x5563fc0000 | 0x5563fc0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000005563fd0000 | 0x5563fd0000 | 0x55640cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000055640d0000 | 0x55640d0000 | 0x55641cffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x55641d0000 | 0x55641d4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x55641e0000 | 0x55641effff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x55641f0000 | 0x55641f2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005564200000 | 0x5564200000 | 0x5564201fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005564210000 | 0x5564210000 | 0x556430ffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x5564310000 | 0x5564319fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005564320000 | 0x5564320000 | 0x556441ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005564420000 | 0x5564420000 | 0x556451ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005564520000 | 0x5564520000 | 0x556491ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff9c0000 | 0x7df5ff9c0000 | 0x7ff5ff9bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff611ce0000 | 0x7ff611ce0000 | 0x7ff611ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce2000 | 0x7ff611ce2000 | 0x7ff611ce3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce4000 | 0x7ff611ce4000 | 0x7ff611ce5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce6000 | 0x7ff611ce6000 | 0x7ff611ce7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611ce8000 | 0x7ff611ce8000 | 0x7ff611ce9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cea000 | 0x7ff611cea000 | 0x7ff611cebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cec000 | 0x7ff611cec000 | 0x7ff611cedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611cee000 | 0x7ff611cee000 | 0x7ff611ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff611cf0000 | 0x7ff611cf0000 | 0x7ff611deffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff611df0000 | 0x7ff611df0000 | 0x7ff611e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff611e14000 | 0x7ff611e14000 | 0x7ff611e14fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e16000 | 0x7ff611e16000 | 0x7ff611e17fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e18000 | 0x7ff611e18000 | 0x7ff611e19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1a000 | 0x7ff611e1a000 | 0x7ff611e1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1c000 | 0x7ff611e1c000 | 0x7ff611e1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff611e1e000 | 0x7ff611e1e000 | 0x7ff611e1ffff | Private Memory | rw |
|
|
|
- |
| officec2rclient.exe | 0x7ff612080000 | 0x7ff6137a4fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f410000 | 0x7ffc3f4adfff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffc4b930000 | 0x7ffc4bc6cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ffc4cec0000 | 0x7ffc4cefbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4d090000 | 0x7ffc4d139fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffc4db10000 | 0x7ffc4dbb6fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffc4dbc0000 | 0x7ffc4dbd5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffc4f660000 | 0x7ffc4f686fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ffc4fe10000 | 0x7ffc50354fff | Memory Mapped File | rwx |
|
|
|
- |
| hlink.dll | 0x7ffc50380000 | 0x7ffc5039efff | Memory Mapped File | rwx |
|
|
|
- |
| msimg32.dll | 0x7ffc503a0000 | 0x7ffc503a6fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffc50400000 | 0x7ffc504f1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ffc522a0000 | 0x7ffc5233bfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffc53720000 | 0x7ffc53777fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffc54ca0000 | 0x7ffc54cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ffc55630000 | 0x7ffc557f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x7ffc57450000 | 0x7ffc57456fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #23: winsys.exe
9
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\programdata\winsys.exe |
| Command Line | C:/ProgramData/WinSys.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D00
0x
B74
0x
D10
0x
CF4
0x
CBC
0x
CE8
0x
CEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| winsys.exe | 0x00040000 | 0x0005dfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000de0000 | 0x00de0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00fb0000 | 0x0106dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | - |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01120fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0132ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x01330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0137ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0138ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0139ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x013affff | Private Memory | - |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x013fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x01400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0142ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0143ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x014dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x0147ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x014affff | Private Memory | - |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014f0000 | 0x014f0000 | 0x014fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x0150ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001510000 | 0x01510000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001520000 | 0x01520000 | 0x016a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000016b0000 | 0x016b0000 | 0x01830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001840000 | 0x01840000 | 0x02c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d40000 | 0x02d40000 | 0x02d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d80000 | 0x02d80000 | 0x02d80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x04daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04eb0000 | 0x051e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x052effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005350000 | 0x05350000 | 0x0535ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0548ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0550ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000005510000 | 0x05510000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006510000 | 0x06510000 | 0x0750ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007510000 | 0x07510000 | 0x0775ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007760000 | 0x07760000 | 0x0875ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x0975ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009760000 | 0x09760000 | 0x0985ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009860000 | 0x09860000 | 0x0995ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x09d00000 | 0x0a197fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x5baa0000 | 0x5baa7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x5bab0000 | 0x5bb22fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x5bb30000 | 0x5bb7efff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x71f10000 | 0x728bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x728c0000 | 0x7293cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x72a10000 | 0x73c3afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x73c40000 | 0x73d34fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x73dd0000 | 0x74477fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74480000 | 0x74487fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74530000 | 0x745a7fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x745b0000 | 0x74608fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74630000 | 0x746a4fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74750000 | 0x747a8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x747b0000 | 0x747b9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x747c0000 | 0x747ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74a00000 | 0x74aabfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74ab0000 | 0x74abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74da0000 | 0x74de3fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x74df0000 | 0x74f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74f10000 | 0x74f3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74f40000 | 0x7502ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75030000 | 0x7517cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75180000 | 0x7518efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75190000 | 0x75305fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75310000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76790000 | 0x76c6cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76c70000 | 0x76daffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76f20000 | 0x76fddfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x770d0000 | 0x77161fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x77170000 | 0x77259fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x77260000 | 0x772a3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x772b0000 | 0x772f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77300000 | 0x7738cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x77390000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x77550000 | 0x775cafff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x776b0000 | 0x77828fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f0f4000 | 0x7f0f4000 | 0x7f0f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fa000 | 0x7f0fa000 | 0x7f0fcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f223000 | 0x7f223000 | 0x7f223fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f226000 | 0x7f226000 | 0x7f228fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f229000 | 0x7f229000 | 0x7f22bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22c000 | 0x7f22c000 | 0x7f22efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f22f000 | 0x7f22f000 | 0x7f22ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc57b4ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffc57d12000 | 0x7ffc57d12000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xd00
7
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = COR_ENABLE_PROFILING |
|
1 | |
| File | Get Info | filename = C:\ProgramData\WinSys.exe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\SystemDebug.exe, type = file_attributes |
|
1 | |
| Mutex | Create | mutex_name = f6a845a7-3909-486d-8d82-29892b2a38d4 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Thread 0xce8
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 |
Thread 0xcec
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 |
