CryptoWire Claims to be WanaCry4 | Sequential Behavior
Try VMRay Analyzer
| Host | Resolved to | Country | City | Protocol |
|---|---|---|---|---|
| blockchain.info | HTTP |
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe |
| Command Line | "C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:13, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:05:02 |
| Information | Value |
|---|---|
| PID | 0xaa0 |
| Parent PID | 0x138 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA4
0x
654
0x
65C
0x
858
0x
8F8
0x
5F8
0x
8EC
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\progra~1\common~1\wanacry6.malware.exe | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcookies\mq6x6yzs.txt | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\progra~1\common~1\wanacry6.malware.exe | 1.00 MB (1050112 bytes) |
MD5:
d78bfdd6242361aa09a0e730ae9dc49a
SHA1: 5e301e5ee7ce8840bf9003df1f3d5cf3679f5753 SHA256: bc885443e29b027d5f307e2f3d36e70ba650d608604aeeea7e748c6dc948a8a6 |
|
|
| c:\users\5jghkoaofdp\desktop\-kar\g_kf.encrypted.mp3 | 65.02 KB (66576 bytes) |
MD5:
b79e63555e23b2edc0e00c32a4fa0884
SHA1: f95d612fba79eae8bfc1d1fdee957cd12534acee SHA256: 57d1b0bdf7f65da952686fdfa495272005fc07c3c1580ee2e6d2b90b640c0639 |
|
|
| c:\progra~1\common~1\log.txt | 0.05 KB (54 bytes) |
MD5:
2605c07ccc62b24d2b318ca3a5718e24
SHA1: 2125d239b98eb975eb7d8f7fe6684d7051b9d704 SHA256: 23c0459b4ce51d5a150c875212bdbfbfcf7f77fb7aa8946272751b5450c1dbce |
|
|
| c:\progra~1\common~1\log.txt | 0.12 KB (118 bytes) |
MD5:
dcd8231c5708b77a71552516c086bacd
SHA1: 050df9bde375c6bed2e22de6dd304d5734296028 SHA256: 7d4fae95023e8ad8e5f6b1690d25e4505abda815c798f34bc0aae13f1b5b270b |
|
|
| c:\users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.encrypted.wav | 78.33 KB (80208 bytes) |
MD5:
2e958962673a31fd916c7cca5ba74d68
SHA1: 0c0cd7f94849a45609df2950f31065fbf73645fa SHA256: 709c7d125d92a8dcfcffb0def0aa88ba170418d6c00cce93575c7d388bbb4a46 |
|
|
| c:\progra~1\common~1\log.txt | 0.23 KB (238 bytes) |
MD5:
3c69abc1c1d32b44f0a05e221065de32
SHA1: 17224d3bd08f7c6162cab8b907c9cb090d164b23 SHA256: aa725385f407bf66734067e03fb3c4b62b6a6b9965db743ff3439627a4cb8596 |
|
|
| c:\progra~1\common~1\log.txt | 0.30 KB (304 bytes) |
MD5:
ec9cdc85265a813d40091057a9e151ac
SHA1: 60c88ed3cb18c4030987f3da11a65cf5c719b6b9 SHA256: 0e5826ed57a3212d0532558facebf9274cc60ce3e775eda765cb3f3915454d09 |
|
|
| c:\progra~1\common~1\log.txt | 0.36 KB (366 bytes) |
MD5:
9e88600f4909ba28158a9657d7c50fb3
SHA1: 11433d1d80cd3e4ac30338327b2468ce439905cb SHA256: 25848ce0fab2d16de19d92908e826840abc100ae530261d6dec65f577aadc8ee |
|
|
| c:\progra~1\common~1\log.txt | 0.42 KB (426 bytes) |
MD5:
4e936c112af90042cc1ac64c462279f2
SHA1: b7467bd7ae3c4e32afc1a2e6323bddc3b12b5597 SHA256: b40887b6c1d0df7ed24f0a43f3cd6da49427e4ce22ba313c127015ccf661cc61 |
|
|
| c:\progra~1\common~1\log.txt | 0.46 KB (476 bytes) |
MD5:
1dc9409637f3ad57590d6c2ee4b1e322
SHA1: 29ebdd8403694f539a5d7f40994835bb8fa07ad0 SHA256: a28a4260cee9dd75c9402c4942ffe27f904464f7841520b2691ce638e612f7f6 |
|
|
| c:\progra~1\common~1\log.txt | 0.57 KB (584 bytes) |
MD5:
31e807e0cfdd0c81addb0f7f604b828b
SHA1: cf6d6b32a78e0df14154cd7e0d1d8d30794f6701 SHA256: 97a4ce59ad4b4f9d115c428cb723e897275a6b75a09b03e99c9c5a47ad47caa3 |
|
|
| c:\progra~1\common~1\log.txt | 0.63 KB (644 bytes) |
MD5:
024c0ea4b1cbe06a4b652510ca8f4b7b
SHA1: d70029ff311627ac4f36e7685529cdc921cdde85 SHA256: d918748e6ad804260d549073b473e028d2a5a7dfe089ca305b5fb36f076bdf13 |
|
|
| c:\progra~1\common~1\log.txt | 0.68 KB (701 bytes) |
MD5:
de4394c49070917a7e3cc501e6c79447
SHA1: 6c99c2609bffafafc3d33b800d2fd834eab06f00 SHA256: 5f13a0cf63e3c6a183748c4a23edaf50401680fa05c6ae36c2548df5c8f7de0f |
|
|
| c:\progra~1\common~1\log.txt | 0.74 KB (755 bytes) |
MD5:
5daefda60930406262eb476c99982732
SHA1: b76bcf7d18d7531188b219eb53a81b856c8db18b SHA256: 6be8fff890b4eabf022b54a3fe03879a77ad8476dd25e053edaf8d10b658f0be |
|
|
| c:\progra~1\common~1\log.txt | 0.81 KB (828 bytes) |
MD5:
f8b39ab63e6bfe8065811387fff8a7f7
SHA1: 12b6a521e19da9f76ae4c4788484b53072774dea SHA256: f4528a6f53ee4f7c58c7e5c19f307bcadc9b42f63eb5691196185bd8cdfd6cfb |
|
|
| c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.encrypted.m4a | 23.92 KB (24496 bytes) |
MD5:
2101bf89a5552dcb03eb124768d0e442
SHA1: 7cd777faf79bcb117df6f22d7222f5d3e9865d65 SHA256: 4c42cfd7677e7031389302fc0ea5de3eb28c35ec6fb056ede2a516200113f851 |
|
|
| c:\progra~1\common~1\log.txt | 0.94 KB (965 bytes) |
MD5:
2ae680597d6f96bf157ed16d90b65ceb
SHA1: a86be68244b2c83a4b196ec64456845a2c725779 SHA256: 323dbcdb1c3ed2c1ed5a6a96117d76952168797f2559be85b0e54c6f4ea73e82 |
|
|
| c:\progra~1\common~1\log.txt | 1.00 KB (1028 bytes) |
MD5:
49cdcdfb60f2fb1320196a8427fd7e4d
SHA1: 96843f05c89fb7d219d4fa872972586ff45e84db SHA256: 3d2326f54ee7f713944aeddeab6b2788c26d4123ba199ff158ead824d648a511 |
|
|
| c:\progra~1\common~1\log.txt | 1.08 KB (1102 bytes) |
MD5:
95f23e73ea3985bea024f3869ca28c1c
SHA1: 97da0099f25b9e44ad99f79305cc82c14f59b3e1 SHA256: 62e71b0a44ff501aa76d85fd748a037d4d34de7bfa4beff2371b85049d81d39f |
|
|
| c:\progra~1\common~1\log.txt | 1.14 KB (1169 bytes) |
MD5:
bbc8f183ae7fa98185ad381b19133e5d
SHA1: 022ba1ce640b49d658093ca25fd78ddf16a030f2 SHA256: cce9b9846a8709ac71cb2e9114a0b7c0b20e6c753b1c17b20b7bcc467cac2171 |
|
|
| c:\progra~1\common~1\log.txt | 1.21 KB (1243 bytes) |
MD5:
124953d40d7d62f76364083eb022f5b9
SHA1: 4860cc10c69ba8e7c4e6414d12a019ca3e0bfa20 SHA256: fcce2b2208e0090fb7e511d8f9e83fbcc04eaa2c060c28b73939afd39ca8c986 |
|
|
| c:\progra~1\common~1\log.txt | 1.28 KB (1307 bytes) |
MD5:
17e0f915c2b53cac18d2271dd343f3fe
SHA1: fa5be909291b3eda76790991b1deaf082e898e25 SHA256: 898fce9f2ff65e9fe488318655a8465cfb9937251d6ba56a6198a1a44ffe4d0b |
|
|
| c:\progra~1\common~1\log.txt | 1.34 KB (1368 bytes) |
MD5:
e95aecd8700cf5c7685f7aa3ccdbc5c8
SHA1: 4a9a7d8dafdd993924ecaf94e738efda75ddba68 SHA256: 30d6623b6d05b8f30be75714d2ed3da0712eda178ed1f08e293046734c9a90f9 |
|
|
| c:\progra~1\common~1\log.txt | 1.39 KB (1425 bytes) |
MD5:
c5ee8a849041227305b2a531102e841d
SHA1: 544d5b76afb6df0c5c0d49e4ba0e03446abca91a SHA256: e77cf3f5658958bbcd6e6384888e9c26b2b1b2189bd9c8c12adc7792abe141e7 |
|
|
| c:\progra~1\common~1\log.txt | 1.45 KB (1487 bytes) |
MD5:
8d233bd45f5a2c67dc9e17ab1512ab43
SHA1: e13e688cd06c50c33f9f127789f0f441a6749b85 SHA256: 47f82639110ff5c772ba4cf0ca0c9efcc0d442c6483fd83e985f7190bc271b04 |
|
|
| c:\progra~1\common~1\log.txt | 1.50 KB (1539 bytes) |
MD5:
23fc87dc2318158ec4f6252134214af1
SHA1: 3ca3b63282cbaceb0177887856b64c3af5e7b28a SHA256: 341d76246e87b0a1a42090b195c331825a2c260827a15a8dc9434e4308152f0b |
|
|
| c:\progra~1\common~1\log.txt | 1.56 KB (1594 bytes) |
MD5:
2c0954a9b82019640f94f0ccff4d8074
SHA1: 6b6a225585fe305641723e210e382e3cad772c70 SHA256: 0efa3e2b045d2028b0540203d9390a812d3566f3cb12589b7f15ced2ac2fdf61 |
|
|
| c:\progra~1\common~1\log.txt | 1.62 KB (1658 bytes) |
MD5:
ef6bf9d25aa4b9adbd5a8d5add95ba9e
SHA1: a4f5581cf4777a804d069bd2ef3de36313ee4393 SHA256: cab588d39661f49485401b77e9ab34331c792ff5c26ebda0d5a60dd859f6c9bc |
|
|
| c:\progra~1\common~1\log.txt | 1.68 KB (1720 bytes) |
MD5:
77b73620de44959ffc6d55423e6250c8
SHA1: bb79b241fb4c922efdacea9bbdc1c4ffcd9ccbd9 SHA256: b3e957ef418b439a5a117a5c06901dee468a8d524ac9245e9804f240ceff032d |
|
|
| c:\users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.encrypted.pps | 71.98 KB (73712 bytes) |
MD5:
ef0c63672acbc5cae3ffc517fef1c569
SHA1: c126369f546d50277d7435ffe7ac41597a62bcd7 SHA256: 0928a4f497025c3cea9b653ef30b21c661e533b913a9d7601be8802733a632fb |
|
|
| c:\users\5jghkoaofdp\desktop\n0ie6v_g.encrypted.avi | 12.38 KB (12672 bytes) |
MD5:
d54ab970520126076248ec39cae01a6c
SHA1: 5fa715bc50a9c3b3ae121b47b007860592fe3ed9 SHA256: 39c67a2966d099967c245ca997ba0ddd70ef68c0a7b397754822d61ca30e5859 |
|
|
| c:\progra~1\common~1\log.txt | 1.85 KB (1897 bytes) |
MD5:
39689aefd0dfe98110c96897f96a392f
SHA1: 6f633b23f5a7ee99c27e77282b442b917c75bffd SHA256: 07795dd2af69189b6b676f53ff851736888593c69d3259777c8000e777495c19 |
|
|
| c:\progra~1\common~1\log.txt | 1.90 KB (1949 bytes) |
MD5:
dc49d728db8314f85416e38ab819f6fc
SHA1: f4174b597f5465c38f1c6028eeb3512fb963badc SHA256: aee03b48a4d0635374626a05ae2726624c391c2e7cd70c001d640b27d52d5f96 |
|
|
| c:\progra~1\common~1\log.txt | 1.95 KB (1999 bytes) |
MD5:
8c8060f05618889dd3e44c212bfe8dfc
SHA1: 8854c4f20b0309f81f6350d9ff2ebfda24fb0f50 SHA256: 29a669f9bd80531ec99005a65f48cd5bfd6157a7173156a217bd419564519e47 |
|
|
| c:\progra~1\common~1\log.txt | 2.06 KB (2114 bytes) |
MD5:
81018519266ab48dab0fb03762365e58
SHA1: 2a6bae0cee5982a9561513a19efb55a30b478631 SHA256: 739be898a888a3d1966cb6b55c45494da1c4d90445db375d752a3c69819aab5c |
|
|
| c:\progra~1\common~1\log.txt | 2.11 KB (2163 bytes) |
MD5:
ede7e02b395d3962e1fd1f158ec9dee9
SHA1: 7bed096bb9ecaab40dd060a52542b7a85e891207 SHA256: 775627e4ad422cd447068b1d85bdacb2f12529649fd6300639fc8add726d503c |
|
|
| c:\progra~1\common~1\log.txt | 2.16 KB (2213 bytes) |
MD5:
06ffea0cab3bdb2ce80e6bea74f3436f
SHA1: ffbe790b5e8aebc3e477ab85ebc37f66687bae75 SHA256: b57064c4c9835b199466e83d8123908a1df31302585b014ec07cf89354968633 |
|
|
| c:\progra~1\common~1\log.txt | 2.21 KB (2267 bytes) |
MD5:
ba392b3bb85e6b43c75dcdcb7b2457e2
SHA1: 6655e9b49051d8fa3121300597e4ede3a738f1be SHA256: 223ab7ea0774185f0ee9028365bc2207677e63e216d27dfe328424b863ae5322 |
|
|
| c:\progra~1\common~1\log.txt | 2.26 KB (2317 bytes) |
MD5:
6990e676ae0eeb2a80061300a2f39dd4
SHA1: b494d6c28109b3fd08ef5a46f5bff36976833f52 SHA256: 6f534913826f3d237a6c1620ff3cfa31a4c157cbd1ddfab5b7cb8852246f61a2 |
|
|
| c:\progra~1\common~1\log.txt | 2.32 KB (2377 bytes) |
MD5:
64cf708e30cea784a1c8999d45a9a2c0
SHA1: 2b872906b91a204e858ac63bd760437050dd6dda SHA256: 588da65eece7c2795fa3c0aff62e9e5cf2f23c405d8bc13c4453d8732f4b1f94 |
|
|
| c:\progra~1\common~1\log.txt | 2.38 KB (2441 bytes) |
MD5:
052df55ccdeeb3e6232055d18085816d
SHA1: fbcb2c607cac6bd9e2b2883413e98883bb5c6998 SHA256: 93121b9914f4d1cf78b2483dae3f5effabac78d8de18770a2d285f98128473b6 |
|
|
| c:\progra~1\common~1\log.txt | 2.44 KB (2494 bytes) |
MD5:
ac5778ab1c530df7a656a1fa1e1f43fb
SHA1: 55aacf108f992aa9b6d41f789111e523e63ccf9e SHA256: 831b9cc04aa94eab46723a8508ddfd389d1cd7c01ddc06b55450021e8c09ff33 |
|
|
| c:\progra~1\common~1\log.txt | 2.50 KB (2558 bytes) |
MD5:
e7562dbe3a0a7164a94dadd090d5d7f0
SHA1: 0cb4edda0487a85fa9325736bcd81d804cf12c39 SHA256: 264fd78c07cef6a2840363c825e56ddf6ebc4a0801334076686dd6e09b1478c7 |
|
|
| c:\progra~1\common~1\log.txt | 2.55 KB (2612 bytes) |
MD5:
dda813ce3faa872347b1c3bda54c9e4b
SHA1: d667f3d11e17dbf752e48d46def0b153c99b4745 SHA256: ec8548ca43c34d48be3ab8b2e18efcc37d01411cda6fda678f33f26dbe38463a |
|
|
| c:\progra~1\common~1\log.txt | 2.61 KB (2674 bytes) |
MD5:
d2d8da7608a20fe5b799e02967dfda38
SHA1: 69154581c36bffeb31320e1f748ea0571aa882c5 SHA256: 3438d0124d4b02671f591962b33f496004d708cd9071ad6a52c5ee4501e6587a |
|
|
| c:\progra~1\common~1\log.txt | 2.72 KB (2784 bytes) |
MD5:
15e42808039cc39fe3f9516a66031f5b
SHA1: 8d083844d2a7ea5c3a6ea7edb48d6f242ce1695e SHA256: 1de3256477e0950daeacd14bec8800dbbb65cb580b81de3887104d5ca6f0bcf2 |
|
|
| c:\progra~1\common~1\log.txt | 2.79 KB (2852 bytes) |
MD5:
95d4c0440af2c5ba6c69e5073bd1c06c
SHA1: 8dcc4b991101ef4a83285af9077b8af04d4eca97 SHA256: 37ce028ddb5b7e0f1af1126abb1917fe4b4099793ac79698f33b4c7e1453f23e |
|
|
| c:\users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.encrypted.odt | 99.83 KB (102224 bytes) |
MD5:
d69ed40b6ef264201dd313d96d6951c1
SHA1: ee645d66a78ad34f30b9d90af86f50f213bcfa27 SHA256: 446c89e1a7c24649e12ec32e2c3da633bb94342f2d1e751be378bc9435ea87b6 |
|
|
| c:\progra~1\common~1\log.txt | 2.91 KB (2984 bytes) |
MD5:
a14867b6386d4c5ace4d1d3612758aa2
SHA1: 3a11db4873afdab5c1bf9c1d86260787012b4a15 SHA256: 4c799c12466454a1e84eabb182146ad7348c7592bffe35b5144f921c5a2a9faa |
|
|
| c:\progra~1\common~1\log.txt | 2.99 KB (3065 bytes) |
MD5:
0262f91220efdb1b4e5f42e8afc0b3fa
SHA1: 8127a068ce78519d95eb20a790a849d2f7b457ea SHA256: fa5f45e7a149d4b247950addb7213e343216ea880aa04e5c3a99e38607da542b |
|
|
| c:\progra~1\common~1\log.txt | 3.08 KB (3156 bytes) |
MD5:
a61445a348b21ddc7929f9feb00f6ca4
SHA1: e060689e413c1db289f3794aaec9ea8cc8de3338 SHA256: a23d946bdbc25640129d0454391c54f268476b272e152480493d1decadfe330c |
|
|
| c:\progra~1\common~1\log.txt | 3.17 KB (3241 bytes) |
MD5:
3483f91ec6733873056dc2bbaae2bdba
SHA1: 7ec439b4bfb42107ecc282ad08c7a47f0f4c28a0 SHA256: 702901313bc29d82fd1b03e6cfeb4efb58d41261633290bbbb4bd05a49c4b9d4 |
|
|
| c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.encrypted.pps | 45.80 KB (46896 bytes) |
MD5:
016becc51450c820dde6162f0ac08715
SHA1: 3c89849ac87f40f76cac4658dadba6f778632906 SHA256: c9351874bc42f12d279b4559b9a3ae1c996c20baa21473a8714151a4c9ac6b89 |
|
|
| c:\progra~1\common~1\log.txt | 3.33 KB (3414 bytes) |
MD5:
028475f04cb4b0015ed159c5a3c52344
SHA1: 79e9c34300da936202274f039e8a89551bd439db SHA256: d52f565d184c3e6b5f68496a46401d61d8e5a44168c1a34c6665fdbe4a6944ac |
|
|
| c:\progra~1\common~1\log.txt | 3.42 KB (3506 bytes) |
MD5:
f04c979a6ca96f275c1983e189e49a71
SHA1: 2fff3c5e3de45e1fa93f0b45d7d2c689e79afcdd SHA256: 3c7ed75d5fd52590a72d8b37772d8b38ed0f4e045efac4553243e788511897a5 |
|
|
| c:\progra~1\common~1\log.txt | 3.51 KB (3593 bytes) |
MD5:
c1deda669411954e7c0796cda7c44858
SHA1: e1480bc45f92d4f491c5e43905d728288d26b3a8 SHA256: 43f0cbc263712e206094ef6a330c12a109096e5bff04e2541cd13966ad0acec3 |
|
|
| c:\progra~1\common~1\log.txt | 3.58 KB (3671 bytes) |
MD5:
bbb45300aad036b1c2e4b8f87bb1cf50
SHA1: 4663146013d877beb2a1ef06323e6e08ebcfb3fc SHA256: 6f17e9a2e04801aea643cba69b335ba7fa25e5ba1d3d3f9afdfcf57515dd344f |
|
|
| c:\progra~1\common~1\log.txt | 3.65 KB (3737 bytes) |
MD5:
812c642e17fe3dafda09bc3024e88e85
SHA1: 5ec7d7a043009514c243339f0b812d54a75112f2 SHA256: 097188412e2f545dbfaa42d9ae3a89ac8187959bb59fa70702994303216b7a7c |
|
|
| c:\progra~1\common~1\log.txt | 3.71 KB (3802 bytes) |
MD5:
585e5a5cf38212222c56cb579b2c677f
SHA1: 97f5c81c5a4300421ee85ae5fe7a43b9306f1e03 SHA256: b1bf8f93d22152954aaadcdb985db13661e3cc5e156e9929e2d22cd35f441083 |
|
|
| c:\progra~1\common~1\log.txt | 3.78 KB (3868 bytes) |
MD5:
cc518181b54ca9c4593c8af23b337110
SHA1: 65fb9775a9c9c838031e3098b2a6b1fa7e229261 SHA256: ca26427b16d46fb8b3acaa7e35b77057d4f4935cfa7c62b7ac0b899c73daee11 |
|
|
| c:\progra~1\common~1\log.txt | 3.85 KB (3942 bytes) |
MD5:
b7e61e0ce67b2afbbad514aeeb2f16f5
SHA1: d8dc24a281b9892e8a266ed5d6836674bc7c8e7b SHA256: e54d75426b10cd14d6ba4eb8b2dca6b63c3bb8b217a63a57de561de9485dcb00 |
|
|
| c:\progra~1\common~1\log.txt | 3.91 KB (4007 bytes) |
MD5:
c5505f146ae475fc8da0d80dc1979cc9
SHA1: e39d16553a0dc82da4c8b7bdcbf10714695beea7 SHA256: 80ecb21d65879b0d5176ec3c856031954f24d74c32345f73a74d4438ca78cfac |
|
|
| c:\progra~1\common~1\log.txt | 4.04 KB (4140 bytes) |
MD5:
04c652c8f73bd225b9a2f18c0053e496
SHA1: 41f6f78c05f7536e6d3626b9a5cad60802128004 SHA256: 0a81e80c28ed23d7dd99cfa514d91ad0549134c662577049c2c413adc6dc4b92 |
|
|
| c:\progra~1\common~1\log.txt | 4.18 KB (4282 bytes) |
MD5:
7d4c8e3c527ea8613ff16f8c80626e0c
SHA1: 8d7d1d7171e13fb5d08baf6baf4f5b097f3e9fd8 SHA256: 391c8e38e18d9de18dc5883326314ae33333db3659916d087e4606b04a254446 |
|
|
| c:\progra~1\common~1\log.txt | 4.25 KB (4356 bytes) |
MD5:
0e773de37700ef66797fe352cc0cb3c5
SHA1: a240abf258e7ef22fbdc0157974e93b1eb15d9ef SHA256: 3fbe9030a164bd070bb9f1a50a18d66ca8f39d147dae1b3a8a2ef6f6197a05b7 |
|
|
| c:\progra~1\common~1\log.txt | 4.31 KB (4409 bytes) |
MD5:
94fcb798c6a5c39d87e14944f04d80bd
SHA1: df1b5c7b996e4c50837d120c326d008adac1572e SHA256: 891ac0f45d77c76f7215e5ad11c6e65e1e89210e24c9b6b4c6f361e77c5fffb6 |
|
|
| c:\progra~1\common~1\log.txt | 4.36 KB (4464 bytes) |
MD5:
4f60ff316054779deae30d8632f9864c
SHA1: 37c21bfecc4b9986c196d27975311172ec5d165b SHA256: 832db58bd37a301ee9fca3c7469cc8489e3726398b8c109f883b8f0dd813660c |
|
|
| c:\progra~1\common~1\log.txt | 4.42 KB (4523 bytes) |
MD5:
9265fe43dbfbb104f310a12618573cab
SHA1: 5c1a0918fa9ffce177896ada56a9c51551c794de SHA256: e84d6dfaed2aaa3bd9c8520abc5ba9f72fe708caa3699094c6431cafb937ba0b |
|
|
| c:\progra~1\common~1\log.txt | 4.49 KB (4595 bytes) |
MD5:
e94a0783b90f068ef239fd198eab3bf5
SHA1: be4e8fa60da8e3c6ac6005ec21af2a737b37909c SHA256: 6461bccde6ff08d84cf5038a03897c12c2c8deaa1872b642c29d9713182173fe |
|
|
| c:\progra~1\common~1\log.txt | 4.55 KB (4664 bytes) |
MD5:
d263bb266796ca748022755394bfa214
SHA1: f156383d6296daf35d01a734db8f29f84a70d94b SHA256: 9f777850ba1457382d4da233443ffee7a30aaf4bd993837c715a383edf92c5e9 |
|
|
| c:\progra~1\common~1\log.txt | 4.62 KB (4735 bytes) |
MD5:
215f21c7c5acf9f76c985e86c0e7dcbc
SHA1: 80a40f36952e35124dfa1d4508bc6ccb6f8bb8cb SHA256: 677c49fa7fbe267313d163c84c94dcc19a4a3d418762ed5434de4222dfc4422b |
|
|
| c:\progra~1\common~1\log.txt | 4.70 KB (4812 bytes) |
MD5:
5c7257d85e76a786241ccaf4d6310638
SHA1: b5468be4d7286d297fdc85d511fc83aab1d704b3 SHA256: eea3eeb4250f20218704b73020ee16703e0718285e7b680da6aec24f011aac37 |
|
|
| c:\progra~1\common~1\log.txt | 4.77 KB (4887 bytes) |
MD5:
d9a672f6d8fe6553a256f5603bdd5bd1
SHA1: 770754397c4ea146feec332286eac09a6fe4c9f0 SHA256: 9046d45c51779957c70af827eca61a13f9b7414c62d22cac0dc79f92070e48cf |
|
|
| c:\progra~1\common~1\log.txt | 4.84 KB (4955 bytes) |
MD5:
e93019f7be37412418d7e40fbfd308c7
SHA1: 20d81f76ef640a55942de696583ebfbba49c5c31 SHA256: 6f36808e492b059cf1f26786bd338d27911be2467c7852c10475d0c2ea94bc74 |
|
|
| c:\progra~1\common~1\log.txt | 4.92 KB (5036 bytes) |
MD5:
fc3fe5af8ac92ffe760fa33bffe9aae7
SHA1: 1e91a00aba0debe60a8231738185dba6e573c578 SHA256: a408a884e036408b73528052e049ae08bc43f5bc907aadaa6910e9175e014df9 |
|
|
| c:\progra~1\common~1\log.txt | 5.00 KB (5116 bytes) |
MD5:
0f10ad8499833cfeacb11efcd21c98a3
SHA1: 0b00cce55439f2c3ab70cb8aebd6ad6aa13adad0 SHA256: 06d65e283e7e8572b50c21e05264e76dfb41a11c5f5ca97904aa5dc8d5cbbcd1 |
|
|
| c:\progra~1\common~1\log.txt | 5.07 KB (5190 bytes) |
MD5:
7c1eaea8a453bac459114155c7a5b8e4
SHA1: 35f264e38a0e80de6c10e5741771e7eeb408389c SHA256: 98ca45db883db0745b111ae423ad2b9beedaf87341244308cb71775b17c0db78 |
|
|
| c:\progra~1\common~1\log.txt | 5.15 KB (5271 bytes) |
MD5:
dec70630f7a97fb171d6f42ddd6f247c
SHA1: 8efde3d289d2100240b5424e2fc6ceb439af0f08 SHA256: 3c20e61684cb287dd62de88694eecb0d5dd67c0bc9915643893adec507fb2e54 |
|
|
| c:\progra~1\common~1\log.txt | 5.22 KB (5348 bytes) |
MD5:
61eae17fc109442a1406448079bc049e
SHA1: a1351c4cc011331920307eac2f9c41147f87ce3d SHA256: 57d0b25351529d92b1ed7547c24fe7878809406475a9e38aee109a56501b48ab |
|
|
| c:\progra~1\common~1\log.txt | 5.31 KB (5442 bytes) |
MD5:
c5a36b47b9081e94530285a1de8e6c1a
SHA1: 553b1b6f1efcf0e5d5f21f98aa812d275ad59346 SHA256: 021498e596de897546a3f287262eb15e2a9c77880fddbf4729f4f31ed85e11b0 |
|
|
| c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.encrypted.one | 353.55 KB (362032 bytes) |
MD5:
75c6ce6d9424b73aa80240b86b17a7cf
SHA1: 93cd2fc955c0c334cbde020746710f3f56991f30 SHA256: 85181b0f7419ffc6c68e72c1f4d045bd59373416ff48838a0ac19087abaa9c9c |
|
|
| c:\progra~1\common~1\log.txt | 5.48 KB (5610 bytes) |
MD5:
accda2952af8bc8b3a8c5e89169107a8
SHA1: f4ec3fcf00df5854a68f891d6a49bd40ad1ab966 SHA256: 585b346c2b84e1479764640cd68ef1827e7e11851682b21a48ce7f52dc5ed384 |
|
|
| c:\users\5jghkoaofdp\documents\pldu.encrypted.docx | 19.27 KB (19728 bytes) |
MD5:
ccdd9bf84db49be6ddecf43581b52990
SHA1: 7e49228b19486952f30c7e135d7464f05247f819 SHA256: 0b43a83baa0bb26b8f60a8d73f1d067e377ef81a19cd46dbce54a1fce8cb9c4b |
|
|
| c:\progra~1\common~1\log.txt | 5.59 KB (5728 bytes) |
MD5:
3dc4ac216ba25f02ceda1bc88ffda217
SHA1: c557735e0c8e1f684e57c7880b4f09942ce1d66d SHA256: 5f32fa5b04c3923ae261550e2c30da8b16db3e54104e48c11cb9013e48ac7b6a |
|
|
| c:\progra~1\common~1\log.txt | 5.65 KB (5787 bytes) |
MD5:
c0bb5d61b9eec918801e422f8ffb8513
SHA1: 14fed7dc68ddd6066a57473ab5511ca52d537bdc SHA256: a03423ff05f929a761e09dcd31f59e948cdafa73cb89d24c28434c91ab16fd64 |
|
|
| c:\progra~1\common~1\log.txt | 5.71 KB (5850 bytes) |
MD5:
14d260a6115598e241faac81034e1087
SHA1: 82cd81466fd4893066017663b57002e49909108e SHA256: 6b304f32947b230860ef5179a780945b6ccc4aac270dc4e72712a8c7908a047a |
|
|
| c:\progra~1\common~1\log.txt | 5.77 KB (5912 bytes) |
MD5:
065f621f348133743ad1249d337c972b
SHA1: 86e2d3df6d2c90cdda9e0998176ffeb0cf012615 SHA256: 30a4cf6ca0c447f5740d4afe14a1c46003ced874d823675b5f1387a0db7650c7 |
|
|
| c:\progra~1\common~1\log.txt | 5.82 KB (5964 bytes) |
MD5:
04a685fedd3ac655480393cb505f324f
SHA1: 7269f8b17ad4145196309456304e8b982b80cadb SHA256: 8d10a9450a68b45697ec1903b8d8758743e1cea75219cb67fa89adf22a0b511a |
|
|
| c:\users\5jghkoaofdp\documents\zd9_fkulwlewhm.encrypted.xlsx | 86.44 KB (88512 bytes) |
MD5:
5103ba382b3ff4928f0be25060ae01be
SHA1: c7f3d4c7670d35d579671ccfd78d4801fe5e0ae5 SHA256: 7f3b86e47b1d930a6ce211d85cb1f99e1e74dd8591f273948de04be20209b791 |
|
|
| c:\progra~1\common~1\log.txt | 5.95 KB (6093 bytes) |
MD5:
8124b358fb97558d912d56e3f781a3d5
SHA1: ed8564253b825e85240c4b163320960a4d089d0f SHA256: 710f8023176ba02e6cf50de936e1c8421df8389af85918f487145d2a6888bed7 |
|
|
| c:\progra~1\common~1\log.txt | 6.01 KB (6158 bytes) |
MD5:
0dde0bebbefba6f054ed2aaf86acd5da
SHA1: ff6e9226092a22f09d24639f943037c091af861a SHA256: 26b02649e4c83ebe74097cc5ebc536a891c0c4eab7ab47ecec8c730f74f156be |
|
|
| c:\progra~1\common~1\log.txt | 6.07 KB (6216 bytes) |
MD5:
7c6f98304663c237935a6d8c918c6834
SHA1: e33ea4844b41eca9d91ca99f09c96da63169412d SHA256: a1d8347c65f80208e6e33fc143ed68687e4e92de13e7e925597519dedb474bd9 |
|
|
| c:\progra~1\common~1\log.txt | 6.12 KB (6266 bytes) |
MD5:
bf6f677076f31be57c2bcbb25de51a4a
SHA1: 48984ea3f30f4fefffff3a40336055d5b1675249 SHA256: 690b5abc55f49e99dc479cce0489d79190ef5827ac912103a8d6d997dece1f44 |
|
|
| c:\progra~1\common~1\log.txt | 6.17 KB (6322 bytes) |
MD5:
0f116efaa3322016bc41a511202e6738
SHA1: f5f8591d7aedbbf9dd854f71db05e7aafd472537 SHA256: a3bea9b51d75c83d7cb8b08f065e267d2e36ef8fd139bf54cf541fb683c36275 |
|
|
| c:\progra~1\common~1\log.txt | 6.22 KB (6371 bytes) |
MD5:
69ab972dfa43be74c887a4d31ae42aa2
SHA1: 4eb54aed3dcb5cc9fbe0347e5e086c02659b3702 SHA256: 1deb08c806b9b46d8bb35c31455c3e83a2abcab30aede8ac039128de6b2a0676 |
|
|
| c:\progra~1\common~1\log.txt | 6.27 KB (6420 bytes) |
MD5:
00cf613cbc4cfa51070a3a07f3472c7f
SHA1: 8b4993d3e518ca3d35a65cd18226320a10bfc1b4 SHA256: d43548d63fb98d2f961a48e484165e4ce5f5589e5fe7af30cb37c61841a83051 |
|
|
| c:\progra~1\common~1\log.txt | 6.33 KB (6479 bytes) |
MD5:
a765a9aad60f2e425b85797ec300bd0e
SHA1: 9d9ced668736a9dd5433be40bdd2c32b1d49ddd8 SHA256: 48e761919d6aadbb4f117ba3332b7d9d225f917d96b56e5da150b8abac89773f |
|
|
| c:\progra~1\common~1\log.txt | 6.38 KB (6532 bytes) |
MD5:
aed6a6d2060741552f73b2a2c4a37c73
SHA1: 13b1b0d2b1a092cf8bec3f9b697b696cbe00b1da SHA256: 70e8ff58284d32ca674ad31c9d0a30cafcb123751b134355ebbd9cb9bf243ad0 |
|
|
| c:\progra~1\common~1\log.txt | 6.43 KB (6589 bytes) |
MD5:
5babe46533fc7df489ed04ffb5e9b2e6
SHA1: be03a86db5dbb9902c2d2da5abc0c4b2e5724daf SHA256: 45dd1eed4a29a10fa020512a97b2ceb3f849e0294485f835b152ddb05dfa0f21 |
|
|
| c:\progra~1\common~1\log.txt | 6.48 KB (6639 bytes) |
MD5:
6aec49444211fc7ae8f72befd5ab6ff5
SHA1: 395ec3dbb38c30ed22f05f6bfb80a3e1940d8b54 SHA256: 48131131aec0cf51e3f457aa39432239c460f4159f150d209ce9995437ca472f |
|
|
| c:\progra~1\common~1\log.txt | 6.54 KB (6701 bytes) |
MD5:
3d04b6b44539feb4e460d221a122fcc4
SHA1: febc01b0a6a9839136a189dd5c14c8f1624290cc SHA256: caa1070e985eafb07053f9ad92eebc7c59cd95a86fb7c61204d1ca6db66ca600 |
|
|
| c:\progra~1\common~1\log.txt | 6.59 KB (6752 bytes) |
MD5:
e883732eececa6c9c29ac2de92e49d87
SHA1: 3badb883af7c8ca8f4fc5734df5ee623f7f56817 SHA256: 8fa612ce686862b73796e16609062d2ff4d923f056c02428126846ede98eee20 |
|
|
| c:\progra~1\common~1\log.txt | 6.65 KB (6808 bytes) |
MD5:
6e266192cf4572df669f2d82224c0226
SHA1: c4314ced5b4dab7ff7be892ae99b06fd676d484b SHA256: 0d5383b0d9c47113f366239d4c588ffa39f71efc7d1b74aecb99c25552366b93 |
|
|
| c:\progra~1\common~1\log.txt | 6.72 KB (6878 bytes) |
MD5:
e162c339ad1c7df6c47a05207b857310
SHA1: b556e7b8a52f070ad168b9dbe8ba164ee6c728b6 SHA256: 38797c57543b4ede62c2280a2c7414b783c2fdb4d2449647a657b1aaa00f53aa |
|
|
| c:\progra~1\common~1\log.txt | 6.85 KB (7018 bytes) |
MD5:
c32de3d6eb9c9c30bbbedd123727cf66
SHA1: e6b50f8d68f37871fa27b3f53b2dab2252a35c5c SHA256: 3f7b5fafc3753bcf4f95814c70a3a268b1e6db05696c53bc90e6f606b6a85597 |
|
|
| c:\progra~1\common~1\log.txt | 6.93 KB (7092 bytes) |
MD5:
2dff1676264576eaaec72f40b1a2bd8e
SHA1: e98af0158e1b286537a9e2a8aa3250c3fa43bfae SHA256: 7cb84bdd48ea594e31ce93c142ffc44b87be438ecbaf8e1d8a6ea3c74e81289e |
|
|
| c:\progra~1\common~1\log.txt | 6.99 KB (7161 bytes) |
MD5:
e5499496950290732082924cc3e89e0b
SHA1: 14d2668ba81eb02e649a44142dbb2e57d77e8049 SHA256: 48157f9c3adf09ba84fe2d608ad7cf57f53d90e885d499c0db77ef0b5e27434e |
|
|
| c:\progra~1\common~1\log.txt | 7.07 KB (7237 bytes) |
MD5:
b714bd5118f1657db2f5c5f746f9e94a
SHA1: 2a7b4d02fc526752a084b7c59839661048c8d188 SHA256: 97ba3238b20c310c32cff472ea174273a25cc69c0b8e79e52f678e09afc7ba8a |
|
|
| c:\progra~1\common~1\log.txt | 7.13 KB (7302 bytes) |
MD5:
528d58e64f661cc7583f0ba76f139405
SHA1: 6c9c3c2a896a55388f42b5dc8d169ae7c005cfca SHA256: 74ec6eefd60fee0b2769eda54735cdad265f45f29f110cb932363f02aaa53825 |
|
|
| c:\progra~1\common~1\log.txt | 7.20 KB (7373 bytes) |
MD5:
f439b21434f582414e2cb47e10a59bd0
SHA1: 4594b95571c82e8bcbf9a59489041c30262cffb4 SHA256: b8c293be36a6cfe96e60b4f530a5f47a94639bba1f9667a1847abf02896a56e3 |
|
|
| c:\progra~1\common~1\log.txt | 7.27 KB (7449 bytes) |
MD5:
ac7ecacc3fd29525463dfc45f3591e48
SHA1: a37bd7e561d38695390af422adc77cb737a8f4c6 SHA256: 778b1a52eeb517f43329e92b8cdd71f8aeccbad2a8afbf73d83ba3a3976a3615 |
|
|
| c:\progra~1\common~1\log.txt | 7.35 KB (7522 bytes) |
MD5:
ee65ad49aab0df6658d04f20dcdd6bbd
SHA1: 350b8715f05d1f20ac90c8a6c24600e8248348fe SHA256: 02242c932ac0bf3b01afd14bd2c123141afe766a4225fda6be69e49c8737c027 |
|
|
| c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.encrypted.mp3 | 41.95 KB (42960 bytes) |
MD5:
6b0977b640f54f2148b33ea9c686360e
SHA1: 04a0d9eb686a127bf5b91c02b0ff84b9f76f2345 SHA256: 1c361912ae72195495356177a335be9ac6cb93bd68206c05460a5d588f49c494 |
|
|
| c:\progra~1\common~1\log.txt | 7.41 KB (7588 bytes) |
MD5:
821abe92ed994861173c7d68c20270cf
SHA1: 93adea30d9c7d12adf5495a7484b6cbb07af9a22 SHA256: 66b592120a010a711cbc0a5877d54118d276baab9a04d92b5d49e8ba2bd61384 |
|
|
| c:\progra~1\common~1\log.txt | 7.48 KB (7662 bytes) |
MD5:
529215af9722162ea5ce3973fe73d23d
SHA1: 0369b110754089ffd03b05b16f55486197133492 SHA256: 0d88137711f9fb9a7c0a8b21fc5c8eeeac49ff9ba2f48057aca928153ce70615 |
|
|
| c:\progra~1\common~1\log.txt | 7.55 KB (7728 bytes) |
MD5:
5b50ddf0f6523f46db23cc63de32dcec
SHA1: 30dd40d6b0d5074e4d0accf9e7ea6546b3405246 SHA256: 3d16b02869fbedbad98378b642f97a85f21f5d532e923af61c30cb2de478d324 |
|
|
| c:\progra~1\common~1\log.txt | 7.62 KB (7803 bytes) |
MD5:
17b4e87a704607f2d3764533b3972c02
SHA1: 9dc9098e1f5cef88cab0f2e349bf3b575b9d546d SHA256: fd354a89468a76659ba3ee06b6200af27adfaa5401f115fa3c427d97c74ab537 |
|
|
| c:\progra~1\common~1\log.txt | 7.69 KB (7879 bytes) |
MD5:
35085a450f532dfaeb3592eaffb6cda4
SHA1: 6386a589de4dca0ab1d5f5e7dce1c6f4e8959beb SHA256: f0c93e00cad050a0d6069c569234d40ff03ec36e06fdbd469e81f400049bf843 |
|
|
| c:\progra~1\common~1\log.txt | 7.75 KB (7931 bytes) |
MD5:
66c5449b52b544dca1a81456b5599a55
SHA1: 372d4d1da857cce6d821904633227afae8f8c5e4 SHA256: 3355ad8cc7da1435034397c27745197d9aebd15bbac266d577db6e1a75136b6a |
|
|
| c:\progra~1\common~1\log.txt | 7.81 KB (7993 bytes) |
MD5:
b3e49183c20a7f007241d416b4370532
SHA1: f4fcebc77d43c34f3fc34878ed034242828c2cf3 SHA256: 5e3959d976451a81f71411584f148a3b9715cb045e04f27a9d539bd15da5bf6d |
|
|
| c:\progra~1\common~1\log.txt | 7.88 KB (8064 bytes) |
MD5:
05fb072022576bb2cf4b5d23c9c042a9
SHA1: 97a4500d80657f0e8f3b18fe457f55d21ebb7bf0 SHA256: 262e9a7cc9dd0a5f054551df21fa023ca6025fcd1aeae44b91acbe67611c3ba7 |
|
|
| c:\progra~1\common~1\log.txt | 7.93 KB (8121 bytes) |
MD5:
a1a6203f94a7d08f88ef4f9c64b64751
SHA1: fb5b03564b9b49750b5efd8f4bda8866cd23b4b9 SHA256: fa8b006d3a28e44052d60db1ed4b78a27b44205b2fe4e690bd50c75db6d79d28 |
|
|
| c:\progra~1\common~1\log.txt | 7.99 KB (8186 bytes) |
MD5:
23389d14ab710399982a7a816f5d7003
SHA1: 8d017865ba586ea326c0d582123af51c9ef04fb9 SHA256: 665e8cc70ac1cb5102e4cbfb0f6288b3fe803a9bef9261f41aa721b3e30e9c74 |
|
|
| c:\progra~1\common~1\log.txt | 8.08 KB (8273 bytes) |
MD5:
ae98c05b979dc0635700d8a5fd977572
SHA1: ebba90636f7aaab78c133d2af78530097e962ee3 SHA256: e0f1cbac9123edd167b675f14095dbae31761998721d78e1e467455c8db90562 |
|
|
| c:\progra~1\common~1\log.txt | 8.16 KB (8357 bytes) |
MD5:
0fab42a4069156e095d89868a12c69fe
SHA1: 3fced465e2b1c1cad49cafe893d8b7c3233b5f53 SHA256: f1ab2a2b5a49c0597d8644a155344fae9c6a3b5a96220d3cfd0aa072b134c224 |
|
|
| c:\progra~1\common~1\log.txt | 8.24 KB (8433 bytes) |
MD5:
e036ca270459d7094798efd0c2e09f86
SHA1: c4600150007bedaf52f68681b86916e87d8ccdaf SHA256: 0accb682708c62d9b2f78d23a15b977856ff2422595684348cbedff41c80ac39 |
|
|
| c:\progra~1\common~1\log.txt | 8.33 KB (8525 bytes) |
MD5:
5ffd64e3c51bc8fa7978d04e98008963
SHA1: 717abca3e6e0d81d65550f606311a89a3b22f338 SHA256: 098053b24aa7f2bd2007632a689b1a63eacd3091733a829fa842be45d3c72a65 |
|
|
| c:\progra~1\common~1\log.txt | 8.38 KB (8585 bytes) |
MD5:
6e305b868b3f2ad3e592b225db55655e
SHA1: 941dd518a563b00494ad8b7b0b7fa5839eb2f437 SHA256: b9d2903da59d11531831543f7f02bfa220e56a18736244a03602d37bd41195c0 |
|
|
| c:\progra~1\common~1\log.txt | 8.45 KB (8656 bytes) |
MD5:
fbabe33557484f00b6899782092a5337
SHA1: 772ce3d83b8946c480d643ead1b857da52cfa14e SHA256: 39c98aefb97148ead47fdd2f275422b9db80efd0fedbad5ea8ae9e17dc52d6d9 |
|
|
| c:\progra~1\common~1\log.txt | 8.53 KB (8730 bytes) |
MD5:
1d0f4c3cf7b5596e854459cd58928142
SHA1: 117e119e643af6b5f46b560f393b097b33c83779 SHA256: 013ce062e5a77af00da5490669f424e7d5d6d64a0576f73e1379781a5417862a |
|
|
| c:\progra~1\common~1\log.txt | 8.60 KB (8806 bytes) |
MD5:
2663518d1848a516cf6dcb97a66cd87d
SHA1: 70a87311b97f5ab6fd3c6f2399044c0643377294 SHA256: 594454295a639854fd096d203469dd03a51e7edad07ade8e772e3a93ebdd1c97 |
|
|
| c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.encrypted.png | 29.86 KB (30576 bytes) |
MD5:
e851eb21c3987b1f349ddb9b857815d3
SHA1: 0183755599ab86295e6b2467968acc087fe25cb0 SHA256: 7915469719d6373559f2f7efe127f46950ccac1147ab91f2cd6711ed2fed14d0 |
|
|
| c:\progra~1\common~1\log.txt | 8.68 KB (8887 bytes) |
MD5:
cd31ec0082f8091222ef2c030a1dd669
SHA1: 05bf5c15f1ab075c0f80a489bbd3bb66f1016efe SHA256: 4568e21200c8049960de9d8037a882ab45fabd61881fc778fd82bd4b684b88f5 |
|
|
| c:\progra~1\common~1\log.txt | 8.74 KB (8953 bytes) |
MD5:
06972603e1aa72a1f67f38765134193c
SHA1: ae4a35610f1a018559138ed85f32acf647adc992 SHA256: 14afaf4417f69786f3ba0a0b7435282880ef828d93123e8bef9fbb2fdd8b3e38 |
|
|
| c:\progra~1\common~1\log.txt | 8.83 KB (9040 bytes) |
MD5:
062db4741927111f06eb282e0594bee8
SHA1: f4606367d92afe73c00faee19aa6cd6db5e45634 SHA256: 25e97d570f19f996bde584ff2240596e9c13f93b30fe96fb400d4e8692287e6d |
|
|
| c:\progra~1\common~1\log.txt | 8.91 KB (9120 bytes) |
MD5:
313318bc7f428f5c50490d2718271b01
SHA1: abb5e4d47142a8413a5f597882d5ff288072f8ff SHA256: f55af1f4c1ccda6c0a1172c82caa24083a5dc20fa928245e05435b292f9d811b |
|
|
| c:\progra~1\common~1\log.txt | 8.98 KB (9200 bytes) |
MD5:
13db1f7ab084a1cbedeef20780e5eb26
SHA1: 4252d4d682fc6f137b0728927ce2a43c9005e34d SHA256: 1c4516e1467f30557a892fd4e881787fc5e660ff37acbb6b59478527782295da |
|
|
| c:\progra~1\common~1\log.txt | 9.07 KB (9284 bytes) |
MD5:
9a058089af8fbb955a16523f2c73b3a7
SHA1: c3b358d9c041e839a7cdfbeb0911a250d599550f SHA256: 8c2cdaa60e59ea68e3e9f3f8df61b540b0f3f46dc2d4756adc2e6fb0c80cea50 |
|
|
| c:\progra~1\common~1\log.txt | 9.15 KB (9373 bytes) |
MD5:
a85b2f6027ba2286ef20cfa5f18e5b3b
SHA1: bc307cdf7fb0d755332086ba8b2c28cf15d675ad SHA256: a1ca68e8b77fa3e378309e50b7d0581fbe5f0a79fe8dae37a03ebdab75f21642 |
|
|
| c:\progra~1\common~1\log.txt | 9.34 KB (9564 bytes) |
MD5:
66e2fcd7ae20fd8170a02d2ea947759e
SHA1: c3828ae94e7c18dcbfbc7dbbf0aff7fac6005b70 SHA256: 5931325c0b0055a441e8f19dc9f70ba562491eedfea7e01944ca9fc0d92e60fe |
|
|
| c:\progra~1\common~1\log.txt | 9.51 KB (9737 bytes) |
MD5:
62f20d3a790f34ae967b4efc86da75b4
SHA1: b7b77fb68686b7ece7d6ebe548cbfd927f111871 SHA256: 5a5d01bbaa6d5bc6bf11585832a33f033dc19010e2d2dd3978845d4d21287cbe |
|
|
| c:\progra~1\common~1\log.txt | 9.57 KB (9798 bytes) |
MD5:
bbdb6bf5a04c6499133201eb51d01d15
SHA1: 28eea8e94852397036f8feb02268bc1c5bf8313a SHA256: 77d86caaadf8e955810eb1c41de575e2cc854326a4ad2777caff3c720c31cb45 |
|
|
| c:\progra~1\common~1\log.txt | 9.63 KB (9857 bytes) |
MD5:
7bd8cbfecabe16f788351292a8b498d3
SHA1: 9aa6c6ee11bbf77e858a6521e5d94c0c2105b4de SHA256: 51dc8ebff41e86ff82b8380a46e2615a64e7bd3e1f4b6593908c094cf80ac078 |
|
|
| c:\users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.encrypted.gif | 62.77 KB (64272 bytes) |
MD5:
50ecceade9fad61b570f2b31410cad9f
SHA1: f73a2f7fd2befe16461d400ae1f9cfeeb40d1ab9 SHA256: 04a4b6fb5a0a3be5267c923254c16e87c6342c0e4ae7cae92ff983f19cb29ccf |
|
|
| c:\progra~1\common~1\log.txt | 9.76 KB (9992 bytes) |
MD5:
86561143d24c769f5da6bac487de96f5
SHA1: 869cbd81a15a7718db63393fbc2ce7707752789a SHA256: 5b085773c45ecf0476a4e2ba346ae988f4bb9b0ac901887bf1f0a926c5b37500 |
|
|
| c:\progra~1\common~1\log.txt | 9.81 KB (10050 bytes) |
MD5:
125e7e370faea2d82256567d87ad83ca
SHA1: b2e8d54ba0ed9a229b07317def820a1fad102fbd SHA256: 160741fa3ba7fd47609d525f152d6e18e8822713b2d994ea7811e4201f8d32f5 |
|
|
| c:\progra~1\common~1\log.txt | 9.88 KB (10115 bytes) |
MD5:
d6376b849a5dd31402bc61da53ff70d4
SHA1: 8e6db923aa75166f8bab98c8c4d0417ddb046d44 SHA256: ca24146bdc15868ac8c845d75ba74c8c39d2310f45f56ba249443c26ec375830 |
|
|
| c:\progra~1\common~1\log.txt | 9.94 KB (10178 bytes) |
MD5:
383abb78bcce7916d51ba5bc9746b635
SHA1: d990903793b76870fff1c5456a34b611c490643c SHA256: c999c4564b9af73b4ca71f49b251e910d1e3a78faf265ac06ca670586dc0cd6e |
|
|
| c:\progra~1\common~1\log.txt | 9.99 KB (10232 bytes) |
MD5:
605b83c7f9544dca8a16427f4d68a4f3
SHA1: f207d9d8ee21f4c17d4f65b012a3ecd5d2627a5d SHA256: 2c1eb6c74f8dcd2e8cdd117bd32906a1a0ddb6c8043dc70516ec44e1b33ce794 |
|
|
| c:\progra~1\common~1\log.txt | 10.06 KB (10297 bytes) |
MD5:
08fe23442e7b9dbddbd04d28a03ad514
SHA1: cc41053534d44c0824ea20cf98409b94af9d1c45 SHA256: 8a56a3d04eb76ebaa8df213bed2038e658b43f99016c0f7cf71d8d2068e36393 |
|
|
| c:\progra~1\common~1\log.txt | 10.12 KB (10365 bytes) |
MD5:
247baaa79fd5a0e687bccecd197c5045
SHA1: 2e6ade7efd7f39d8104a96d928f4cbcd7bf08439 SHA256: 703a4a2ea26cb42fcf3a816838e6d94974de3ffd60ad5810e98542b8518d0b21 |
|
|
| c:\progra~1\common~1\log.txt | 10.18 KB (10420 bytes) |
MD5:
35cc2d53ec9d5ed8d5fab7c26d956a2a
SHA1: 01b101ab4ec74c74d9d567837ad0d4ed77ef19d5 SHA256: 1510c32944889fe7e049d9d3b9bc28d39e5ba5b26e67de67d67088e4ff6417d6 |
|
|
| c:\progra~1\common~1\log.txt | 10.24 KB (10481 bytes) |
MD5:
eef304cda1e97b7519e8013f41389e28
SHA1: 2b31237696990a1ccd72865997616badadd0cf76 SHA256: e7d70e8746e80567900bce548f24364be6117e1101d33a069416e3624f0f4315 |
|
|
| c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.encrypted.mkv | 13.70 KB (14032 bytes) |
MD5:
3b64c710563c0112cea1fc58433aed8c
SHA1: 28d90fbbbf35ba141352091a9eb4e3a1e7931980 SHA256: f82ab9e17352b9118db0aa37ee63c3e46f8ff28d08bbafa51b96121f882877b2 |
|
|
| c:\progra~1\common~1\log.txt | 10.42 KB (10670 bytes) |
MD5:
743ec6e8ca03e0f65fa6c9b36a2a3fa9
SHA1: 1c8a9674e39e5218ea538d5f42d4f7b4f553f937 SHA256: ef0af7c4736a029cbe1b6413e5d813b4e8ea0bedc6141b7f4bdd08e37af3607b |
|
|
| c:\progra~1\common~1\log.txt | 10.52 KB (10775 bytes) |
MD5:
4b99fab8428b8837effca97514e64fd5
SHA1: fcf4a931b1af4e25df1117bccc32e1043ca61729 SHA256: 1530fa9ad498da053ccdfa86355d43dcbf6d0cb221d922215c8c7504baccaf35 |
|
|
| c:\progra~1\common~1\log.txt | 10.62 KB (10879 bytes) |
MD5:
3d98ad64cbe4da1444b459c4ec605cb7
SHA1: 15f1210a505ac74f0eaa5a827c6708bb72d365f2 SHA256: 06a33380dc9b7433b0cfb1492ab6c40cf3ef2759d09ec2ec84e46850add4b5c7 |
|
|
| c:\progra~1\common~1\log.txt | 10.72 KB (10977 bytes) |
MD5:
11149743e690c20d38515883a803b728
SHA1: 5e46c3c40862cbbabdd935c4590a3f3a4b0ee0bf SHA256: 582ed28cb5e530572940a43f29940db8b98f35d3c5db9f932e757638ee9fe45a |
|
|
| c:\progra~1\common~1\log.txt | 10.81 KB (11069 bytes) |
MD5:
e1af75e25dc5a0546b08272e826396c9
SHA1: 63a02effd93a059ed740f72f7e917b38fc7d5f74 SHA256: 550624776f27a6ad3e4f0126f12f8ff3b0072aa978349dd2a6b2db2015b3cf7c |
|
|
| c:\progra~1\common~1\log.txt | 11.00 KB (11266 bytes) |
MD5:
0aba604b2c92a7a6e639cc36453f3bae
SHA1: 09ba74f0646405ac29679e0bfb3dcf1089d3eeea SHA256: eb25f636f7c32d17ce3945ec7bf79bb50b7ff71567a429bb05791fdca0674b59 |
|
|
| c:\progra~1\common~1\log.txt | 11.12 KB (11391 bytes) |
MD5:
355471f0b3d53b177c40c3c4dc043b97
SHA1: 28c25132fa508e8073aa34f3638ff2d4c57b53c7 SHA256: a29cc1e547ccb87e7df6d55d8b4dc1804951766dedc9da617a661583c1b0c3ef |
|
|
| c:\progra~1\common~1\log.txt | 11.24 KB (11514 bytes) |
MD5:
964a64698fb9058d4c4cc7e15bf4eebd
SHA1: 35e70175ad3cc625df4b09d1bd1ebbbb8c9e43f3 SHA256: 2c5a5de0543ce418e9261f8e1d40669bf9c711ec901973d91ad58a02199a600a |
|
|
| c:\progra~1\common~1\log.txt | 11.37 KB (11638 bytes) |
MD5:
cb9f6ab7b30eaf63713b9f144fba5f92
SHA1: b9f6464b3261d41b8fad5a39f422899b7b5bc841 SHA256: 42854f6d2f498057c5900d219a5c5747edf0480224f3e5d3253908abcce85872 |
|
|
| c:\progra~1\common~1\log.txt | 11.49 KB (11762 bytes) |
MD5:
1774ac1c3f40ff5b7c80df6acfc4dada
SHA1: 3774e9e0eb5b659bd51813945c61d612d2d951c7 SHA256: 4bc3c90794d551de434a5a9478837679b446a95caeecd133a47e42e2e9411f6e |
|
|
| c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\desktop.ini | 0.06 KB (65 bytes) |
MD5:
ad0b0b4416f06af436328a3c12dc491b
SHA1: 743c7ad130780de78ccbf75aa6f84298720ad3fa SHA256: 23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416 |
|
|
| c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\desktop.ini | 0.13 KB (129 bytes) |
MD5:
a526b9e7c716b3489d8cc062fbce4005
SHA1: 2df502a944ff721241be20a9e449d2acd07e0312 SHA256: e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcookies\mq6x6yzs.txt | 0.11 KB (117 bytes) |
MD5:
b66f6b08de0f150cb8941aeb2b84f9d9
SHA1: 4b44ad08470119cf62889821b9e95c612fe68aa2 SHA256: 07d71e09bbe4073839f882848e76ac431df4741ad318ef5c71846ee985bea63b |
|
|
| c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\cay9e00x\tobtc[1].txt | 0.01 KB (10 bytes) |
MD5:
e407af805476c1cc12fcbcb42a217a5f
SHA1: 36c2f577a120f1785fd74ef556c4851b029c63a7 SHA256: f959f76db4de29b9eb002f367e97a576481e1bc77274564bee0ce198849f73f3 |
|
|
| c:\progra~1\common~1\1365363213 | 0.03 KB (27 bytes) |
MD5:
ed31cbe057cdf23178c1f2ba56935bb2
SHA1: d59dafa8efb71f884ba2d45e81b578840146ddca SHA256: ca7c6bc32e528080123c9f9b5f789ea602e26191d9665e8c671498cc18e902dd |
|
|
| c:\users\5jghkoaofdp\desktop\k9uoo8fw7r.encrypted.jpg | 91.89 KB (94096 bytes) |
MD5:
a68bf9f8d438a33cbe510005f6e874dc
SHA1: a3c741303af0316b3571ba09551b156b195df33d SHA256: 61269a23824a019c70e6d2bc511b3ca58b1b19e0901d9877b3b5cc23842b71db |
|
|
| c:\users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.encrypted.jpg | 85.17 KB (87216 bytes) |
MD5:
760f09c85f27d0bc3898cea6ec12bfb2
SHA1: c1ba11bb7749491ae94893ec62ae5b2f9845cbac SHA256: fce006e9807cd3825630e132f3e5c14c578b026c5ac7f2d3f4cca58f38b793b2 |
|
|
| c:\users\5jghkoaofdp\desktop\ostre2ekexrlom6.encrypted.jpg | 12.44 KB (12736 bytes) |
MD5:
8712a2ba179c03a3d086989b13741f44
SHA1: d445747f84d42efd5b5e52a74bd8d64bfb4813f4 SHA256: ba434835eebcfdd209a6c28e47f29d11654df328d75fee34a5b8bb9a2e0dbfa5 |
|
|
| c:\users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.encrypted.bmp | 53.39 KB (54672 bytes) |
MD5:
980fdc20d3574dcec166792ad5df9c37
SHA1: 382f94c8be36973f1b3b1ea0fa6dd9afb52e4fc2 SHA256: e49c2af279005228f4e6296948c9f19b1cca25b0bc09f6807170c87663d8eb9d |
|
|
| c:\users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.encrypted.bmp | 36.88 KB (37760 bytes) |
MD5:
83fb70c75a3824acc0433299350e560d
SHA1: 355a97c3fdb3ea08794d93b0971f2cada20ec94c SHA256: be1b6eb108483866a017b48a922e2e39cae4330d1ca002b2d188f466cb1f1508 |
|
|
| c:\users\5jghkoaofdp\desktop\djg5lkzha.encrypted.bmp | 94.53 KB (96800 bytes) |
MD5:
e6731e0cbaae9ee9555d8a0720bea8a8
SHA1: 4cb7fea782fe5a1e90e10857cb4a6ea62d0c3c51 SHA256: 2e71b395f3142cc8ac2277a8343b5103c00b2219eba017c147797353bf97b1c8 |
|
|
| c:\users\5jghkoaofdp\desktop\frzbojgkva5c6myj.encrypted.mp4 | 90.30 KB (92464 bytes) |
MD5:
10c1a84a32519315c52d7c62eb634392
SHA1: fd89dc77f465db303f24e0c6ebbcb51f9966be41 SHA256: d10a7d942c17af5f2d67abc15d0bdfbe74262dc63dd64a8939a03edbb827e9bf |
|
|
| c:\users\5jghkoaofdp\desktop\uk 6ek_ge.encrypted.png | 25.23 KB (25840 bytes) |
MD5:
39c24282dcc2cfdf1a16e0a9dcd353ed
SHA1: 7740212a7a6d04981889c3eaf3ea9d033cb32024 SHA256: 3793173ad68dd2c7672ddedefdd82972f8108f53696d3a9b72e57fbbcb04e6bb |
|
|
| c:\users\5jghkoaofdp\desktop\ur9w.encrypted.mp3 | 60.31 KB (61760 bytes) |
MD5:
85059cccd2f0472cd50f45dfd1a7ea73
SHA1: 1c4328fb34d4c3777daea38904d0185df3e2d60a SHA256: 48d2d6d30fa8534a5c172cd867fffb6646c1fa9731ab84cead010826ab1af132 |
|
|
| c:\users\5jghkoaofdp\desktop\xe_1j.encrypted.avi | 30.41 KB (31136 bytes) |
MD5:
0820b196964244383636e3e10ac13f73
SHA1: 3de767680bc25c995536ab7e3f86e77f99172f1e SHA256: eb90f565bb5a91eef0f0ae385e55504966c29b28f5e022365cf740d22057a2af |
|
|
| c:\users\5jghkoaofdp\desktop\ypmyrw0yu.encrypted.mp3 | 79.75 KB (81664 bytes) |
MD5:
40ae53155c9e7aa00db5d28fc6195ad3
SHA1: 00709944738ba3518b1de353ed414cd2b5733c0d SHA256: 26fc40822c979da7e22395d77c5874944ffa64c62c5285b025971dc5bcd235c5 |
|
|
| c:\users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.encrypted.docx | 67.91 KB (69536 bytes) |
MD5:
c73c9e08a23aab918b0022c37f3bbd03
SHA1: d98475693e54efa2a80879e01c9f572495d0a2b8 SHA256: fca4a8eae9c17d525c6d3a006f7e1d332ad2975a307c5487b2d42b55a259eaef |
|
|
| c:\users\5jghkoaofdp\desktop\cchnli nseui.encrypted.mp3 | 5.83 KB (5968 bytes) |
MD5:
640b1339f17aede2881af1ab059658d9
SHA1: 2de17d959a3827be3338bebeb537e38ad7ebe028 SHA256: 49ddba6f04e525494e892afae7beac4d467c046bd90b9214e1150234d00e1d9c |
|
|
| c:\users\5jghkoaofdp\desktop\k3ebs8.encrypted.docx | 19.75 KB (20224 bytes) |
MD5:
8646a831d8aa6b5cdb95285c310de920
SHA1: 25f3599cd5f77eb5da49b54d910539b485441d75 SHA256: 9b6abb86be95d8762d6459910e4d3e029008f71848102b0961f0d1993e410fb1 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:42 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:42 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Environment | Get Environment String | name = USERPROFILE, result_out = C:\Users\5JgHKoaOfdp |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| File | Write | size = 34 |
|
1 | |
| File | Copy | source_filename = C:\Users\5JGHKO~1\Desktop\wanacry6.malware.exe, destination_filename = C:\PROGRA~1\COMMON~1\wanacry6.malware.exe, copy_flags = COPY_FILE_ALLOW_DECRYPTED_DESTINATION |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE, os_pid = 0xb74, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = EnableLinkedConnections, type = REG_NONE |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Contacts\lulcit amkdfe.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.mp3, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.encrypted.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.mp3, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.mp3, size = 65536, size_out = 1032 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\g_Kf.mp3, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 54 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.m4a, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.encrypted.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.m4a, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.m4a, size = 65536, size_out = 23930 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.m4a, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.encrypted.m4a, size = 65536, size_out = 54 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.encrypted.m4a, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\jbm6X5WVPb3d4o.encrypted.m4a, size = 64 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.encrypted.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 65536, size_out = 14664 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 65536, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.encrypted.wav, size = 65536, size_out = 118 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.encrypted.wav, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.encrypted.wav, size = 65536, size_out = 51691 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.encrypted.wav, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 65536, size_out = 183 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\MBc0Rw8Uo_Of3f5.wav, size = 55 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.flv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.encrypted.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.flv, size = 65536, size_out = 46503 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.flv, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.encrypted.flv, size = 65536, size_out = 238 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.encrypted.flv, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\oTNowkVPArPdClpl.encrypted.flv, size = 66 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.mp4, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.encrypted.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.mp4, size = 65536, size_out = 50938 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.mp4, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.encrypted.mp4, size = 65536, size_out = 304 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.encrypted.mp4, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\-Kar\P62rA6FYB gP.encrypted.mp4, size = 62 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.docx, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.docx, size = 65536, size_out = 3998 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.encrypted.docx, size = 65536, size_out = 366 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\0-0nSQtjx3OQOk.encrypted.docx, size = 60 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.mkv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.encrypted.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.mkv, size = 65536, size_out = 48104 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.mkv, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.encrypted.mkv, size = 65536, size_out = 426 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.encrypted.mkv, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\2U 4q.encrypted.mkv, size = 50 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.encrypted.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, size = 65536, size_out = 54656 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, size = 65536, size_out = 0 |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.encrypted.bmp, size = 65536, size_out = 476 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.encrypted.bmp, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.encrypted.bmp, size = 65536, size_out = 21786 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.encrypted.bmp, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, size = 65536, size_out = 535 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\4GhbRlq-JKTwUq.bmp, size = 49 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.bmp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.encrypted.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.bmp, size = 65536, size_out = 37756 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.bmp, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.encrypted.bmp, size = 65536, size_out = 584 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.encrypted.bmp, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\b1DrBF6BJiH2t5R.encrypted.bmp, size = 60 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.mp3, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.encrypted.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.mp3, size = 65536, size_out = 5959 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.encrypted.mp3, size = 65536, size_out = 644 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.encrypted.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\cChNLI nseUI.encrypted.mp3, size = 57 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.bmp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.encrypted.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.bmp, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.bmp, size = 65536, size_out = 31249 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.bmp, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.encrypted.bmp, size = 65536, size_out = 701 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.encrypted.bmp, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\DjG5LKzHA.encrypted.bmp, size = 54 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.swf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.encrypted.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.swf, size = 65536, size_out = 63022 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.encrypted.swf, size = 65536, size_out = 755 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.encrypted.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\2qHnNLlstx60xk.encrypted.swf, size = 73 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.m4a, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.m4a, size = 65536, size_out = 24486 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.m4a, size = 65536, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.m4a, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, size = 65536, size_out = 828 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\BxiNkfDKL7n6uh.encrypted.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, size = 65536, size_out = 35399 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\a7BOT.encrypted.m4a, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\BxiNkfDKL7n6uh.encrypted.mkv, size = 65536, size_out = 892 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\BxiNkfDKL7n6uh.encrypted.mkv, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\BxiNkfDKL7n6uh.encrypted.mkv, size = 73 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.flv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.encrypted.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.flv, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.flv, size = 65536, size_out = 14061 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.flv, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.encrypted.flv, size = 65536, size_out = 965 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.encrypted.flv, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\Mkl8.encrypted.flv, size = 63 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.wav, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.encrypted.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.wav, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.wav, size = 65536, size_out = 27097 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.wav, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.encrypted.wav, size = 65536, size_out = 1028 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.encrypted.wav, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\O7 BldHX4t31hLq.encrypted.wav, size = 74 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.csv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.encrypted.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.csv, size = 65536, size_out = 43685 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.csv, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.encrypted.csv, size = 65536, size_out = 1102 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.encrypted.csv, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\uMOrr9mp.encrypted.csv, size = 67 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.avi, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.encrypted.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.avi, size = 65536, size_out = 23424 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.avi, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.encrypted.avi, size = 65536, size_out = 1169 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.encrypted.avi, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\X9pGuRd2LUFtykx.encrypted.avi, size = 74 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.gif, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.encrypted.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.gif, size = 65536, size_out = 54019 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.gif, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.encrypted.gif, size = 65536, size_out = 1243 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.encrypted.gif, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\fMgVztMzKdkWm\xkRc6.encrypted.gif, size = 64 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.mp4, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.encrypted.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.mp4, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.mp4, size = 65536, size_out = 26915 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.mp4, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.encrypted.mp4, size = 65536, size_out = 1307 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.encrypted.mp4, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\FrZbOJgkVA5C6MyJ.encrypted.mp4, size = 61 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.encrypted.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, size = 65536, size_out = 39719 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.encrypted.ods, size = 65536, size_out = 1368 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.encrypted.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.encrypted.ods, size = 57 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\JMyoN8-H.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7ffe2a59e84c |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\JYTH35yWOw4cDE5jD.odp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\JYTH35yWOw4cDE5jD.odp, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\JYTH35yWOw4cDE5jD.odp, size = 65536, size_out = 14498 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\JYTH35yWOw4cDE5jD.odp, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x7ffe2a5cb720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, size = 65536, size_out = 1425 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\I0uZHq1VO1kg.ods, size = 62 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.docx, size = 65536, size_out = 20218 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.encrypted.docx, size = 65536, size_out = 1487 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\K3EBs8.encrypted.docx, size = 52 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.jpg, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.encrypted.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.jpg, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.jpg, size = 65536, size_out = 28554 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.jpg, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.encrypted.jpg, size = 65536, size_out = 1539 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.encrypted.jpg, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\k9uoo8fW7r.encrypted.jpg, size = 55 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.jpg, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.encrypted.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.jpg, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.jpg, size = 65536, size_out = 21675 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.jpg, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.encrypted.jpg, size = 65536, size_out = 1594 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.encrypted.jpg, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\kQG5XtNI4DupERo o1m.encrypted.jpg, size = 64 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.swf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.encrypted.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.swf, size = 65536, size_out = 5310 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.encrypted.swf, size = 65536, size_out = 1658 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.encrypted.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\lQcVzOBTHZds7XE9L.encrypted.swf, size = 62 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.pps, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.encrypted.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.pps, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.pps, size = 65536, size_out = 8167 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.pps, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7ffe2a59e83c |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.encrypted.pps, size = 65536, size_out = 1720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.encrypted.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.encrypted.pps, size = 65536, size_out = 12664 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\M2GZLacPZQEjs2kMO8D.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.avi, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.encrypted.avi, size = 65536, size_out = 1784 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.encrypted.avi, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\osTre2ekexRLOM6.encrypted.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.encrypted.avi, size = 65536, size_out = 12735 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\n0ie6V_g.encrypted.avi, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\osTre2ekexRLOM6.encrypted.jpg, size = 65536, size_out = 1837 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\osTre2ekexRLOM6.encrypted.jpg, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\osTre2ekexRLOM6.encrypted.jpg, size = 60 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.encrypted.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 65536, size_out = 712 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.encrypted.swf, size = 65536, size_out = 1897 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.encrypted.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.encrypted.swf, size = 52 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\QmkNd.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7ffe2a59e84c |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\QmkNd.odp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\QmkNd.odp, size = 65536, size_out = 58101 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\QmkNd.odp, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x7ffe2a5cb720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 65536, size_out = 1949 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\q768hX7.swf, size = 50 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.encrypted.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 870 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x7ffe2a641998 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 1999 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\uK 6Ek_gE.encrypted.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 25830 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\rvzc3jMnZDyKRdzF.mkv, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\uK 6Ek_gE.encrypted.png, size = 65536, size_out = 2060 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\uK 6Ek_gE.encrypted.png, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\uK 6Ek_gE.encrypted.png, size = 54 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.mp3, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.encrypted.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.mp3, size = 65536, size_out = 61748 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.encrypted.mp3, size = 65536, size_out = 2114 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.encrypted.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\Ur9w.encrypted.mp3, size = 49 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.avi, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.encrypted.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.avi, size = 65536, size_out = 31123 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.avi, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.encrypted.avi, size = 65536, size_out = 2163 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.encrypted.avi, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\xE_1J.encrypted.avi, size = 50 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.encrypted.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 65536, size_out = 16117 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.encrypted.mp3, size = 65536, size_out = 2213 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.encrypted.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.encrypted.mp3, size = 54 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\Zpipq.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7ffe2a59e84c |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\Zpipq.avi, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Zpipq.avi, size = 65536, size_out = 24574 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\Zpipq.avi, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x7ffe2a5cb720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 65536, size_out = 2267 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Desktop\YPMyrW0Yu.mp3, size = 50 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.pptx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.encrypted.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.pptx, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.pptx, size = 65536, size_out = 27983 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.pptx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.encrypted.pptx, size = 65536, size_out = 2317 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.encrypted.pptx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\-K2qi4D7O1hA.encrypted.pptx, size = 60 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.odp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.encrypted.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.odp, size = 65536, size_out = 3293 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.odp, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.encrypted.odp, size = 65536, size_out = 2377 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.encrypted.odp, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\13i0VlibnO4QxctB5.encrypted.odp, size = 64 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.docx, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.docx, size = 65536, size_out = 9553 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.encrypted.docx, size = 65536, size_out = 2441 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\2sfMU.encrypted.docx, size = 53 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.docx, size = 65536, size_out = 49220 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.encrypted.docx, size = 65536, size_out = 2494 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\6hmkgL288Io-nw73.encrypted.docx, size = 64 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.encrypted.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, size = 65536, size_out = 64919 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.encrypted.xlsx, size = 65536, size_out = 2558 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.encrypted.xlsx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.encrypted.xlsx, size = 54 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\aQjEhDUTmjiM4M.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7ffe2a59e84c |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\aQjEhDUTmjiM4M.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\aQjEhDUTmjiM4M.docx, size = 65536, size_out = 31351 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\aQjEhDUTmjiM4M.docx, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x7ffe2a5cb720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, size = 65536, size_out = 2612 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\6VP Y1.xlsx, size = 62 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.xls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.encrypted.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.xls, size = 65536, size_out = 23197 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.xls, size = 65536, size_out = 0 |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.encrypted.xls, size = 65536, size_out = 2674 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.encrypted.xls, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\EcMUW.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.encrypted.xls, size = 65536, size_out = 60451 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\b9SUel0k8A.encrypted.xls, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x7ffe2a5cb720 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\EcMUW.encrypted.docx, size = 65536, size_out = 2731 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\EcMUW.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\EcMUW.encrypted.docx, size = 53 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.encrypted.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.xlsx, size = 65536, size_out = 34922 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.xlsx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.encrypted.xlsx, size = 65536, size_out = 2784 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.encrypted.xlsx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\F0tlqD_PjItzmwvwmHNX.encrypted.xlsx, size = 68 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.encrypted.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 65536, size_out = 36680 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 65536, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.encrypted.odt, size = 65536, size_out = 2852 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.encrypted.odt, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.encrypted.odt, size = 65536, size_out = 46484 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.encrypted.odt, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 65536, size_out = 2924 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\6ESq8lZBvb5xjb1XLyrd.odt, size = 60 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.rtf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.encrypted.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.rtf, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.rtf, size = 65536, size_out = 1760 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.rtf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.encrypted.rtf, size = 65536, size_out = 2984 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.encrypted.rtf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\-McD0G9w-y6.encrypted.rtf, size = 81 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.pptx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.encrypted.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.pptx, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.pptx, size = 65536, size_out = 32573 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.pptx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.encrypted.pptx, size = 65536, size_out = 3065 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.encrypted.pptx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\3 LJxnIVpNPfOuwlcIh-.encrypted.pptx, size = 91 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.doc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.encrypted.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.doc, size = 65536, size_out = 9179 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.doc, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.encrypted.doc, size = 65536, size_out = 3156 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.encrypted.doc, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\U9OFxVyaM-sRGNq.encrypted.doc, size = 85 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.pps, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.encrypted.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.pps, size = 65536, size_out = 46883 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.pps, size = 65536, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.pps, type = file_attributes |
|
1 | |
| Module | Load | module_name = msvcrt.dll, base_address = 0x7ffe2a8b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x7ffe2a8b1690 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.encrypted.pps, size = 65536, size_out = 3241 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\ACt2aRGtYlaHCFWx Ti2.encrypted.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.encrypted.pps, size = 65536, size_out = 6569 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\dQOHpG0Nf9r1mosxu\wKBfM0BgIc5.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\ACt2aRGtYlaHCFWx Ti2.encrypted.pps, size = 65536, size_out = 3322 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\ACt2aRGtYlaHCFWx Ti2.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\ACt2aRGtYlaHCFWx Ti2.encrypted.pps, size = 92 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.pdf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.encrypted.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.pdf, size = 65536, size_out = 27318 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.pdf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.encrypted.pdf, size = 65536, size_out = 3414 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.encrypted.pdf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\DpJxT01PYg1DSU8dGdRx.encrypted.pdf, size = 92 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.ots, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.encrypted.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.ots, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.ots, size = 65536, size_out = 5339 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.ots, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.encrypted.ots, size = 65536, size_out = 3506 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.encrypted.ots, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\h_iDTN9q4xoR8AS.encrypted.ots, size = 87 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.docx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.docx, size = 65536, size_out = 38287 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.encrypted.docx, size = 65536, size_out = 3593 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.encrypted.docx, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gIFhUCqicYTOVJewuyW\Par3V.encrypted.docx, size = 78 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.pdf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.encrypted.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.pdf, size = 65536, size_out = 4632 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.pdf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.encrypted.pdf, size = 65536, size_out = 3671 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.encrypted.pdf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\gMgUlv1jFWYOWc.encrypted.pdf, size = 66 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.ods, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.encrypted.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.ods, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.ods, size = 65536, size_out = 12485 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.encrypted.ods, size = 65536, size_out = 3737 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.encrypted.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\iXosKeRIaoImk.encrypted.ods, size = 65 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.pps, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.encrypted.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.pps, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.pps, size = 65536, size_out = 1613 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.pps, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.encrypted.pps, size = 65536, size_out = 3802 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.encrypted.pps, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\2-L_bJ82.encrypted.pps, size = 66 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.ods, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.encrypted.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.ods, size = 65536, size_out = 45633 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.encrypted.ods, size = 65536, size_out = 3868 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.encrypted.ods, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\BftNn-lFCQRK6y3V.encrypted.ods, size = 74 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.rtf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.encrypted.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.rtf, size = 65536, size_out = 65091 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.rtf, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.encrypted.rtf, size = 65536, size_out = 3942 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.encrypted.rtf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\fPffAVX.encrypted.rtf, size = 65 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.xlsx, size = 65536, size_out = 32949 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.xlsx, size = 65536, size_out = 0 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x7ffe2a641a0c |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, size = 32949 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, size = 65536, size_out = 4007 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\LXe-5p6iU.encrypted.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, size = 65536, size_out = 26020 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\GOZxV-S.encrypted.xlsx, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\LXe-5p6iU.encrypted.pdf, size = 65536, size_out = 4073 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\LXe-5p6iU.encrypted.pdf, size = 65536, size_out = 0 |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\LXe-5p6iU.encrypted.pdf, size = 67 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFile, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7ffe2a643194 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7ffe2a641560 |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.xls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.xls, size = 65536, size_out = 62418 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.xls, size = 65536, size_out = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| File | Write | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 62432 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x7ffe2a59f3cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7ffe2a59e83c |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 65536, size_out = 4140 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\OhQsVpUB.encrypted.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 65536, size_out = 65536 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 65536, size_out = 16028 |
|
1 | |
| File | Read | filename = C:\Users\5JgHKoaOfdp\Documents\FW U\qhHaI\Mz7EF7dcig3 gnT3v.encrypted.xls, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
|
For performance reasons, the remaining 1591 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:56 |
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0xaa0 (c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B94
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\schtasks.exe, os_pid = 0xbc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:19, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:56 |
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0xb74 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD8
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\schtasks.exe, base_address = 0x7ff6693d0000 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 |
|
2 | |
| System | Get Time | type = Local Time, time = 2017-08-09 01:01:44 (Local Time) |
|
1 | |
| COM | Create | interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| System | Get Time | type = Local Time, time = 2017-08-09 01:01:44 (Local Time) |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 72 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:20, Reason: Created Scheduled Job |
| Unmonitor | End Time: 00:00:31, Reason: Terminated |
| Monitor Duration | 00:00:11 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x330 |
| Parent PID | 0x200 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
AA8
0x
A44
0x
16C
0x
958
0x
950
0x
8B4
0x
940
0x
954
0x
8C0
0x
4B8
0x
424
0x
988
0x
980
0x
97C
0x
974
0x
968
0x
914
0x
81C
0x
818
0x
308
0x
3FC
0x
54C
0x
4F4
0x
520
0x
5E0
0x
554
0x
24C
0x
14C
0x
7FC
0x
7F8
0x
7E8
0x
7DC
0x
7D0
0x
7C8
0x
7BC
0x
7B8
0x
794
0x
790
0x
77C
0x
778
0x
748
0x
744
0x
73C
0x
738
0x
734
0x
728
0x
724
0x
714
0x
70C
0x
6FC
0x
6E8
0x
6D0
0x
6B8
0x
594
0x
524
0x
46C
0x
458
0x
454
0x
44C
0x
40C
0x
408
0x
3F8
0x
3C0
0x
3B0
0x
394
0x
370
0x
358
0x
22C
0x
13C
0x
1A4
0x
3BC
0x
3B8
0x
378
0x
374
0x
360
0x
35C
0x
354
0x
334
0x
8BC
0x
924
0x
87C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a4e90000 | 0xc0a4e90000 | 0xc0a4e9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a4ea0000 | 0xc0a4ea0000 | 0xc0a4ea6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a4eb0000 | 0xc0a4eb0000 | 0xc0a4ebefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a4ec0000 | 0xc0a4ec0000 | 0xc0a4f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a4f40000 | 0xc0a4f40000 | 0xc0a4f43fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a4f50000 | 0xc0a4f50000 | 0xc0a4f50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a4f60000 | 0xc0a4f60000 | 0xc0a4f61fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xc0a4f70000 | 0xc0a4fedfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c0a4ff0000 | 0xc0a4ff0000 | 0xc0a4ff6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5000000 | 0xc0a5000000 | 0xc0a5002fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a5010000 | 0xc0a5010000 | 0xc0a5010fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5020000 | 0xc0a5020000 | 0xc0a5020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5030000 | 0xc0a5030000 | 0xc0a5030fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5040000 | 0xc0a5040000 | 0xc0a513ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5140000 | 0xc0a5140000 | 0xc0a52c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a52d0000 | 0xc0a52d0000 | 0xc0a52d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a52e0000 | 0xc0a52e0000 | 0xc0a52e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a52f0000 | 0xc0a52f0000 | 0xc0a52f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5300000 | 0xc0a5300000 | 0xc0a5300fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5310000 | 0xc0a5310000 | 0xc0a5312fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a5320000 | 0xc0a5320000 | 0xc0a532ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5330000 | 0xc0a5330000 | 0xc0a54b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a54c0000 | 0xc0a54c0000 | 0xc0a557ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c0a5580000 | 0xc0a5580000 | 0xc0a5979fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a5980000 | 0xc0a5980000 | 0xc0a59fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5a00000 | 0xc0a5a00000 | 0xc0a5a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xc0a5a80000 | 0xc0a5d54fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c0a5d60000 | 0xc0a5d60000 | 0xc0a5ddffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5de0000 | 0xc0a5de0000 | 0xc0a5e5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5e60000 | 0xc0a5e60000 | 0xc0a5edffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5ee0000 | 0xc0a5ee0000 | 0xc0a5ee6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5ef0000 | 0xc0a5ef0000 | 0xc0a5ef6fff | Private Memory | Readable, Writable |
|
|
|
|
| cversions.2.db | 0xc0a5f00000 | 0xc0a5f03fff | Memory Mapped File | Readable |
|
|
|
|
| cversions.2.db | 0xc0a5f10000 | 0xc0a5f13fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c0a5f20000 | 0xc0a5f20000 | 0xc0a5f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a5f30000 | 0xc0a5f30000 | 0xc0a5f30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5f40000 | 0xc0a5f40000 | 0xc0a5f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5f50000 | 0xc0a5f50000 | 0xc0a5fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a5fd0000 | 0xc0a5fd0000 | 0xc0a604ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6050000 | 0xc0a6050000 | 0xc0a60cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a60d0000 | 0xc0a60d0000 | 0xc0a614ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6150000 | 0xc0a6150000 | 0xc0a61cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a61d0000 | 0xc0a61d0000 | 0xc0a624ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6250000 | 0xc0a6250000 | 0xc0a634ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6350000 | 0xc0a6350000 | 0xc0a63cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a63d0000 | 0xc0a63d0000 | 0xc0a644ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6450000 | 0xc0a6450000 | 0xc0a64cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a64d0000 | 0xc0a64d0000 | 0xc0a654ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6550000 | 0xc0a6550000 | 0xc0a65cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a65d0000 | 0xc0a65d0000 | 0xc0a664ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6650000 | 0xc0a6650000 | 0xc0a66cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a66d0000 | 0xc0a66d0000 | 0xc0a674ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6750000 | 0xc0a6750000 | 0xc0a67cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a67d0000 | 0xc0a67d0000 | 0xc0a684ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6850000 | 0xc0a6850000 | 0xc0a68cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a68d0000 | 0xc0a68d0000 | 0xc0a694ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6950000 | 0xc0a6950000 | 0xc0a6a4ffff | Private Memory | Readable, Writable |
|
|
|
|
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db | 0xc0a6a50000 | 0xc0a6a8dfff | Memory Mapped File | Readable |
|
|
|
|
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xc0a6a90000 | 0xc0a6b10fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c0a6b20000 | 0xc0a6b20000 | 0xc0a6c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6c20000 | 0xc0a6c20000 | 0xc0a6c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6ca0000 | 0xc0a6ca0000 | 0xc0a6d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6d20000 | 0xc0a6d20000 | 0xc0a6d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6da0000 | 0xc0a6da0000 | 0xc0a6e1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6e20000 | 0xc0a6e20000 | 0xc0a6e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6ea0000 | 0xc0a6ea0000 | 0xc0a6f1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6f20000 | 0xc0a6f20000 | 0xc0a6f9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a6fa0000 | 0xc0a6fa0000 | 0xc0a701ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7020000 | 0xc0a7020000 | 0xc0a709ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a70a0000 | 0xc0a70a0000 | 0xc0a711ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7120000 | 0xc0a7120000 | 0xc0a719ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a71a0000 | 0xc0a71a0000 | 0xc0a71a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a71b0000 | 0xc0a71b0000 | 0xc0a722ffff | Private Memory | Readable, Writable |
|
|
|
|
| activeds.dll.mui | 0xc0a7230000 | 0xc0a7230fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000c0a7240000 | 0xc0a7240000 | 0xc0a7240fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a7250000 | 0xc0a7250000 | 0xc0a7250fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a7260000 | 0xc0a7260000 | 0xc0a7260fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a7270000 | 0xc0a7270000 | 0xc0a7276fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7280000 | 0xc0a7280000 | 0xc0a7287fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7290000 | 0xc0a7290000 | 0xc0a730ffff | Private Memory | Readable, Writable |
|
|
|
|
| netcfgx.dll.mui | 0xc0a7310000 | 0xc0a7315fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000c0a7320000 | 0xc0a7320000 | 0xc0a7321fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| datastore.edb | 0xc0a7330000 | 0xc0a733ffff | Memory Mapped File | Readable |
|
|
|
|
| datastore.edb | 0xc0a7340000 | 0xc0a734ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c0a7350000 | 0xc0a7350000 | 0xc0a735ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7360000 | 0xc0a7360000 | 0xc0a736ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7370000 | 0xc0a7370000 | 0xc0a756ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7570000 | 0xc0a7570000 | 0xc0a75effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a75f0000 | 0xc0a75f0000 | 0xc0a766ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7670000 | 0xc0a7670000 | 0xc0a76effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a76f0000 | 0xc0a76f0000 | 0xc0a776ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7770000 | 0xc0a7770000 | 0xc0a77effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a77f0000 | 0xc0a77f0000 | 0xc0a786ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7870000 | 0xc0a7870000 | 0xc0a78effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a78f0000 | 0xc0a78f0000 | 0xc0a796ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7970000 | 0xc0a7970000 | 0xc0a79effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a79f0000 | 0xc0a79f0000 | 0xc0a7a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7a70000 | 0xc0a7a70000 | 0xc0a7aeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7af0000 | 0xc0a7af0000 | 0xc0a7b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7b70000 | 0xc0a7b70000 | 0xc0a7beffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7bf0000 | 0xc0a7bf0000 | 0xc0a7c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7c70000 | 0xc0a7c70000 | 0xc0a7ceffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7cf0000 | 0xc0a7cf0000 | 0xc0a7deffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7df0000 | 0xc0a7df0000 | 0xc0a7e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7e70000 | 0xc0a7e70000 | 0xc0a7eeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7ef0000 | 0xc0a7ef0000 | 0xc0a7f2efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7f30000 | 0xc0a7f30000 | 0xc0a7f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7f40000 | 0xc0a7f40000 | 0xc0a7f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7f50000 | 0xc0a7f50000 | 0xc0a7f50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7f60000 | 0xc0a7f60000 | 0xc0a7f6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a7f70000 | 0xc0a7f70000 | 0xc0a806ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8070000 | 0xc0a8070000 | 0xc0a80effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a80f0000 | 0xc0a80f0000 | 0xc0a816ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8170000 | 0xc0a8170000 | 0xc0a81effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a81f0000 | 0xc0a81f0000 | 0xc0a826ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8270000 | 0xc0a8270000 | 0xc0a82effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a82f0000 | 0xc0a82f0000 | 0xc0a836ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8370000 | 0xc0a8370000 | 0xc0a876ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8770000 | 0xc0a8770000 | 0xc0a87effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8870000 | 0xc0a8870000 | 0xc0a8870fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8880000 | 0xc0a8880000 | 0xc0a888ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8910000 | 0xc0a8910000 | 0xc0a8a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8a10000 | 0xc0a8a10000 | 0xc0a8a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8a90000 | 0xc0a8a90000 | 0xc0a8b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8b10000 | 0xc0a8b10000 | 0xc0a8b8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8b90000 | 0xc0a8b90000 | 0xc0a8c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8c10000 | 0xc0a8c10000 | 0xc0a8c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8c90000 | 0xc0a8c90000 | 0xc0a8c93fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8ca0000 | 0xc0a8ca0000 | 0xc0a8ca1fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a8cb0000 | 0xc0a8cb0000 | 0xc0a8de7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c0a8df0000 | 0xc0a8df0000 | 0xc0a8e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8e70000 | 0xc0a8e70000 | 0xc0a8eeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8ef0000 | 0xc0a8ef0000 | 0xc0a8ef0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8f00000 | 0xc0a8f00000 | 0xc0a8f0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8f10000 | 0xc0a8f10000 | 0xc0a8f17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a8f20000 | 0xc0a8f20000 | 0xc0a8f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a8f30000 | 0xc0a8f30000 | 0xc0a902ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a9030000 | 0xc0a9030000 | 0xc0a90affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a9130000 | 0xc0a9130000 | 0xc0a91affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a91b0000 | 0xc0a91b0000 | 0xc0a92affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a92b0000 | 0xc0a92b0000 | 0xc0a93affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a93b0000 | 0xc0a93b0000 | 0xc0a94affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a94b0000 | 0xc0a94b0000 | 0xc0a95affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a95b0000 | 0xc0a95b0000 | 0xc0a96affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c0a96b0000 | 0xc0a96b0000 | 0xc0a972ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a9730000 | 0xc0a9730000 | 0xc0a973ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a9740000 | 0xc0a9740000 | 0xc0a974ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a9750000 | 0xc0a9750000 | 0xc0a975ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c0a9760000 | 0xc0a9760000 | 0xc0a976ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
|
For performance reasons, the remaining 383 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 4180649|vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x664 |
| Parent PID | 0xaa0 (c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B00
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x8fc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open |
|
1 | ||
| File | Get Info | filename = vssadmin.exe, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\vssadmin.exe, os_pid = 0x908, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x9a8 |
| Parent PID | 0xaa0 (c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9AC
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x78c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open |
|
1 | ||
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\bcdedit.exe, os_pid = 0x874, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x5f4 |
| Parent PID | 0xaa0 (c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
870
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\cmd.exe, os_pid = 0x8a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open |
|
1 | ||
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\bcdedit.exe, os_pid = 0x938, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 9538298" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x78c |
| Parent PID | 0x9a8 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3E0
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit /set {default} recoveryenabled No |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x874 |
| Parent PID | 0x9a8 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
518
|
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 4180649" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x8fc |
| Parent PID | 0x664 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
90C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\vssadmin.exe |
| Command Line | vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x908 |
| Parent PID | 0x664 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
928
0x
2C8
0x
8E4
0x
60C
|
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" title 8997147" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Information | Value |
|---|---|
| PID | 0x8a0 |
| Parent PID | 0x5f4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
89C
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff623140000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffe2a6431d8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
2 | ||
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffe2a65e954 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffe2a6434dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffe2a0836f8 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:45 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x938 |
| Parent PID | 0x5f4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E4
|
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:44 |
| Information | Value |
|---|---|
| PID | 0x880 |
| Parent PID | 0xaa0 (c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B14
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:55 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:55 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 354, y_out = 388 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Read | size = 65536, size_out = 12874 |
|
1 | |
| File | Read | size = 65536, size_out = 0 |
|
1 | |
| File | Read | size = 65536, size_out = 12874 |
|
2 | |
| File | Read | size = 65536, size_out = 0 |
|
1 | |
| File | Read | size = 65536, size_out = 12874 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 354, y_out = 388 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
4 | |
| System | Get Cursor | x_out = 568, y_out = 532 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
8 | |
| System | Get Cursor | x_out = 568, y_out = 532 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
16 | |
| System | Get Cursor | x_out = 568, y_out = 532 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 568, y_out = 532 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 867, y_out = 515 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| File | Read | size = 65536, size_out = 16 |
|
1 | |
| File | Read | size = 65536, size_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 867, y_out = 515 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| File | Write | size = 4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x7ffe2a59f3cc |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 867, y_out = 515 |
|
2 | |
| System | Get Cursor | x_out = 784, y_out = 510 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0x87c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:41 |
| Information | Value |
|---|---|
| PID | 0x87c |
| Parent PID | 0x880 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
890
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000026a4650000 | 0x26a4650000 | 0x26a466ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a4650000 | 0x26a4650000 | 0x26a465ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a4660000 | 0x26a4660000 | 0x26a4666fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a4670000 | 0x26a4670000 | 0x26a467efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000026a4680000 | 0x26a4680000 | 0x26a4a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a4a80000 | 0x26a4a80000 | 0x26a4a83fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026a4a90000 | 0x26a4a90000 | 0x26a4a91fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000026a4aa0000 | 0x26a4aa0000 | 0x26a4aa1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a4ab0000 | 0x26a4ab0000 | 0x26a4ab6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a4ac0000 | 0x26a4ac0000 | 0x26a4ac0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a4ad0000 | 0x26a4ad0000 | 0x26a4ad0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a4ae0000 | 0x26a4ae0000 | 0x26a4ae0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026a4ae0000 | 0x26a4ae0000 | 0x26a4ae3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026a4af0000 | 0x26a4af0000 | 0x26a4af1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000026a4b00000 | 0x26a4b00000 | 0x26a4efffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x26a4f00000 | 0x26a4f7dfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000026a4f80000 | 0x26a4f80000 | 0x26a5107fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000026a5110000 | 0x26a5110000 | 0x26a5116fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a5120000 | 0x26a5120000 | 0x26a5120fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a5130000 | 0x26a5130000 | 0x26a513ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a5140000 | 0x26a5140000 | 0x26a52c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026a52d0000 | 0x26a52d0000 | 0x26a66cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x26a66d0000 | 0x26a6789fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000026a66d0000 | 0x26a66d0000 | 0x26a67bffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000026a67c0000 | 0x26a67c0000 | 0x26a68bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a68c0000 | 0x26a68c0000 | 0x26a68cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a68d0000 | 0x26a68d0000 | 0x26a69d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x26a68d0000 | 0x26a6ba4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000026a6bb0000 | 0x26a6bb0000 | 0x26a6bb0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000026a6bc0000 | 0x26a6bc0000 | 0x26a6bc0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a6bd0000 | 0x26a6bd0000 | 0x26a70c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x26a70d0000 | 0x26a7f3ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000026a7f40000 | 0x26a7f40000 | 0x26a8157fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026a8160000 | 0x26a8160000 | 0x26a8160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imageres.dll | 0x26a8160000 | 0x26aaff5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000026ab000000 | 0x26ab000000 | 0x26ab002fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026ab010000 | 0x26ab010000 | 0x26ab010fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026ab020000 | 0x26ab020000 | 0x26ab419fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000026ab420000 | 0x26ab420000 | 0x26ab463fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000026ab470000 | 0x26ab470000 | 0x26ab494fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff756010000 | 0x7ff756010000 | 0x7ff75610ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff756110000 | 0x7ff756110000 | 0x7ff756132fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff756137000 | 0x7ff756137000 | 0x7ff756137fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75613e000 | 0x7ff75613e000 | 0x7ff75613ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\progra~1\common~1\3123635631 | 0.00 KB (4 bytes) |
MD5:
a54f0041a9e15b050f25c463f1db7449
SHA1: d9be6524a5f5047db5866813acf3277892a7a30a SHA256: ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:58 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:01:58 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 784, y_out = 510 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 784, y_out = 510 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
5 | |
| System | Get Cursor | x_out = 784, y_out = 510 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
28 | |
| System | Get Cursor | x_out = 784, y_out = 510 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 538, y_out = 534 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
26 | |
| System | Get Cursor | x_out = 538, y_out = 534 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 538, y_out = 534 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 538, y_out = 534 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 538, y_out = 534 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 888, y_out = 515 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 888, y_out = 515 |
|
2 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 765, y_out = 507 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0x9c0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Get Cursor | x_out = 765, y_out = 507 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:38 |
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0x87c (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000000b61d60000 | 0xb61d60000 | 0xb61d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b61d60000 | 0xb61d60000 | 0xb61d6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b61d70000 | 0xb61d70000 | 0xb61d76fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b61d80000 | 0xb61d80000 | 0xb61d8efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000b61d90000 | 0xb61d90000 | 0xb6218ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b62190000 | 0xb62190000 | 0xb62193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b621a0000 | 0xb621a0000 | 0xb621a1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000b621b0000 | 0xb621b0000 | 0xb621b1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xb621c0000 | 0xb6223dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000b62240000 | 0xb62240000 | 0xb62246fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b62250000 | 0xb62250000 | 0xb62250fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b62260000 | 0xb62260000 | 0xb62260fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b62270000 | 0xb62270000 | 0xb62270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b62270000 | 0xb62270000 | 0xb62273fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b62280000 | 0xb62280000 | 0xb62281fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000b62290000 | 0xb62290000 | 0xb62296fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b622a0000 | 0xb622a0000 | 0xb622a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b622b0000 | 0xb622b0000 | 0xb622b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b622c0000 | 0xb622c0000 | 0xb622c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b622d0000 | 0xb622d0000 | 0xb622d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b622d0000 | 0xb622d0000 | 0xb622d2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000b622e0000 | 0xb622e0000 | 0xb626dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b626e0000 | 0xb626e0000 | 0xb62867fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b62870000 | 0xb62870000 | 0xb62870fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b62890000 | 0xb62890000 | 0xb6289ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b628a0000 | 0xb628a0000 | 0xb62a20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b62a30000 | 0xb62a30000 | 0xb63e2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xb63e30000 | 0xb63ee9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000b63e30000 | 0xb63e30000 | 0xb63f1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000b63f20000 | 0xb63f20000 | 0xb63f63fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b63f70000 | 0xb63f70000 | 0xb63f94fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b63fa0000 | 0xb63fa0000 | 0xb63faffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000b63fb0000 | 0xb63fb0000 | 0xb640affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000b640b0000 | 0xb640b0000 | 0xb641b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xb640b0000 | 0xb64384fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000b64390000 | 0xb64390000 | 0xb64881fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xb64890000 | 0xb656fffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000b65700000 | 0xb65700000 | 0xb65917fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xb65920000 | 0xb687b5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000b687c0000 | 0xb687c0000 | 0xb68bb9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755ff0000 | 0x7ff755ff0000 | 0x7ff7560effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7560f0000 | 0x7ff7560f0000 | 0x7ff756112fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff75611d000 | 0x7ff75611d000 | 0x7ff75611efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75611f000 | 0x7ff75611f000 | 0x7ff75611ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:01 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:01 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 765, y_out = 507 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 765, y_out = 507 |
|
1 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
25 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
4 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 559, y_out = 545 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 864, y_out = 508 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| System | Get Cursor | x_out = 864, y_out = 508 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x7ffe2a5bf86c |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 864, y_out = 508 |
|
2 | |
| System | Get Cursor | x_out = 786, y_out = 513 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0xa3c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 786, y_out = 513 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:36 |
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0x9c0 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A98
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000bf608f0000 | 0xbf608f0000 | 0xbf6090ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf608f0000 | 0xbf608f0000 | 0xbf608fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf60900000 | 0xbf60900000 | 0xbf60906fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf60910000 | 0xbf60910000 | 0xbf6091efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bf60920000 | 0xbf60920000 | 0xbf60d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf60d20000 | 0xbf60d20000 | 0xbf60d23fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf60d30000 | 0xbf60d30000 | 0xbf60d31fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bf60d40000 | 0xbf60d40000 | 0xbf60d41fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf60d50000 | 0xbf60d50000 | 0xbf60d56fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf60d60000 | 0xbf60d60000 | 0xbf60d60fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf60d70000 | 0xbf60d70000 | 0xbf60d70fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf60d80000 | 0xbf60d80000 | 0xbf60d80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf60d80000 | 0xbf60d80000 | 0xbf60d83fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf60d90000 | 0xbf60d90000 | 0xbf60d91fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bf60da0000 | 0xbf60da0000 | 0xbf6119ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xbf611a0000 | 0xbf6121dfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bf61220000 | 0xbf61220000 | 0xbf613a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bf613b0000 | 0xbf613b0000 | 0xbf613b6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf613c0000 | 0xbf613c0000 | 0xbf613c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf613d0000 | 0xbf613d0000 | 0xbf613d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf613e0000 | 0xbf613e0000 | 0xbf613effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf613f0000 | 0xbf613f0000 | 0xbf61570fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf61580000 | 0xbf61580000 | 0xbf6297ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xbf62980000 | 0xbf62a39fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bf62980000 | 0xbf62980000 | 0xbf62980fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf62990000 | 0xbf62990000 | 0xbf62990fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf62990000 | 0xbf62990000 | 0xbf62992fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bf629a0000 | 0xbf629a0000 | 0xbf629a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf629b0000 | 0xbf629b0000 | 0xbf629f3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf62a00000 | 0xbf62a00000 | 0xbf62a24fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bf62a60000 | 0xbf62a60000 | 0xbf62a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf62a70000 | 0xbf62a70000 | 0xbf62b5ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bf62b60000 | 0xbf62b60000 | 0xbf62c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bf62c60000 | 0xbf62c60000 | 0xbf62d60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xbf62c60000 | 0xbf62f34fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bf62f40000 | 0xbf62f40000 | 0xbf63431fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xbf63440000 | 0xbf642affff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bf642b0000 | 0xbf642b0000 | 0xbf644c7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xbf644d0000 | 0xbf67365fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bf67370000 | 0xbf67370000 | 0xbf67769fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755e50000 | 0x7ff755e50000 | 0x7ff755f4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755f50000 | 0x7ff755f50000 | 0x7ff755f72fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff755f75000 | 0x7ff755f75000 | 0x7ff755f75fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755f7e000 | 0x7ff755f7e000 | 0x7ff755f7ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:03 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:03 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 786, y_out = 513 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 786, y_out = 513 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
13 | |
| System | Get Cursor | x_out = 786, y_out = 513 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
28 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 573, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 573, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 862, y_out = 507 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| System | Get Cursor | x_out = 862, y_out = 507 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 862, y_out = 507 |
|
2 | |
| System | Get Cursor | x_out = 800, y_out = 505 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 800, y_out = 505 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0xae0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:33 |
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0xa3c (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000a96a8a0000 | 0xa96a8a0000 | 0xa96a8bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96a8a0000 | 0xa96a8a0000 | 0xa96a8affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96a8b0000 | 0xa96a8b0000 | 0xa96a8b6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96a8c0000 | 0xa96a8c0000 | 0xa96a8cefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a96a8d0000 | 0xa96a8d0000 | 0xa96accffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96acd0000 | 0xa96acd0000 | 0xa96acd3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96ace0000 | 0xa96ace0000 | 0xa96ace1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a96acf0000 | 0xa96acf0000 | 0xa96acf1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96ad00000 | 0xa96ad00000 | 0xa96ad06fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96ad10000 | 0xa96ad10000 | 0xa96ad10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96ad20000 | 0xa96ad20000 | 0xa96ad20fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96ad30000 | 0xa96ad30000 | 0xa96ad30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96ad30000 | 0xa96ad30000 | 0xa96ad33fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96ad40000 | 0xa96ad40000 | 0xa96ad41fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a96ad50000 | 0xa96ad50000 | 0xa96ad56fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96ad60000 | 0xa96ad60000 | 0xa96b15ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xa96b160000 | 0xa96b1ddfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a96b1e0000 | 0xa96b1e0000 | 0xa96b1e0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96b1f0000 | 0xa96b1f0000 | 0xa96b1f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96b200000 | 0xa96b200000 | 0xa96b200fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96b210000 | 0xa96b210000 | 0xa96b210fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96b210000 | 0xa96b210000 | 0xa96b212fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96b220000 | 0xa96b220000 | 0xa96b220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96b230000 | 0xa96b230000 | 0xa96b254fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96b260000 | 0xa96b260000 | 0xa96b26ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96b270000 | 0xa96b270000 | 0xa96b3f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96b400000 | 0xa96b400000 | 0xa96b580fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96b590000 | 0xa96b590000 | 0xa96c98ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xa96c990000 | 0xa96ca49fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a96c990000 | 0xa96c990000 | 0xa96ca7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a96ca80000 | 0xa96ca80000 | 0xa96cac3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96cb00000 | 0xa96cb00000 | 0xa96cb0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a96cb10000 | 0xa96cb10000 | 0xa96cc0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a96cc10000 | 0xa96cc10000 | 0xa96cd10fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xa96cc10000 | 0xa96cee4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a96cef0000 | 0xa96cef0000 | 0xa96d3e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xa96d3f0000 | 0xa96e25ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a96e260000 | 0xa96e260000 | 0xa96e477fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xa96e480000 | 0xa971315fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a971320000 | 0xa971320000 | 0xa971719fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7569b0000 | 0x7ff7569b0000 | 0x7ff756aaffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff756ab0000 | 0x7ff756ab0000 | 0x7ff756ad2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff756adc000 | 0x7ff756adc000 | 0x7ff756addfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff756ade000 | 0x7ff756ade000 | 0x7ff756adefff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:06 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:06 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 800, y_out = 505 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 800, y_out = 505 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
3 | |
| System | Get Cursor | x_out = 800, y_out = 505 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
41 | |
| System | Get Cursor | x_out = 574, y_out = 538 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
27 | |
| System | Get Cursor | x_out = 574, y_out = 538 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
28 | |
| System | Get Cursor | x_out = 574, y_out = 538 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 574, y_out = 538 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 574, y_out = 538 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 867, y_out = 511 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| System | Get Cursor | x_out = 867, y_out = 511 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 867, y_out = 511 |
|
2 | |
| System | Get Cursor | x_out = 787, y_out = 506 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0xa5c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Get Cursor | x_out = 787, y_out = 506 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:31 |
| Information | Value |
|---|---|
| PID | 0xa5c |
| Parent PID | 0xae0 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
128
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000e0d6190000 | 0xe0d6190000 | 0xe0d61affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6190000 | 0xe0d6190000 | 0xe0d619ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d61a0000 | 0xe0d61a0000 | 0xe0d61a6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d61b0000 | 0xe0d61b0000 | 0xe0d61befff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e0d61c0000 | 0xe0d61c0000 | 0xe0d65bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d65c0000 | 0xe0d65c0000 | 0xe0d65c3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d65d0000 | 0xe0d65d0000 | 0xe0d65d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e0d65e0000 | 0xe0d65e0000 | 0xe0d65e1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xe0d65f0000 | 0xe0d666dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e0d6670000 | 0xe0d6670000 | 0xe0d6676fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d6680000 | 0xe0d6680000 | 0xe0d6680fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d6690000 | 0xe0d6690000 | 0xe0d6690fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d66a0000 | 0xe0d66a0000 | 0xe0d66a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d66a0000 | 0xe0d66a0000 | 0xe0d66a3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d66b0000 | 0xe0d66b0000 | 0xe0d66b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xe0d66c0000 | 0xe0d6779fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e0d66c0000 | 0xe0d66c0000 | 0xe0d66c6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d66d0000 | 0xe0d66d0000 | 0xe0d66d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d66e0000 | 0xe0d66e0000 | 0xe0d66e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d66f0000 | 0xe0d66f0000 | 0xe0d66f0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6700000 | 0xe0d6700000 | 0xe0d6700fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d6700000 | 0xe0d6700000 | 0xe0d6702fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d6710000 | 0xe0d6710000 | 0xe0d6710fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6720000 | 0xe0d6720000 | 0xe0d6763fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6770000 | 0xe0d6770000 | 0xe0d6794fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d67a0000 | 0xe0d67a0000 | 0xe0d6b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6ba0000 | 0xe0d6ba0000 | 0xe0d6c8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e0d6cc0000 | 0xe0d6cc0000 | 0xe0d6ccffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e0d6d10000 | 0xe0d6d10000 | 0xe0d6d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d6d20000 | 0xe0d6d20000 | 0xe0d6ea7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d6eb0000 | 0xe0d6eb0000 | 0xe0d7030fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e0d7040000 | 0xe0d7040000 | 0xe0d843ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e0d8440000 | 0xe0d8440000 | 0xe0d853ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e0d8540000 | 0xe0d8540000 | 0xe0d8640fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xe0d8540000 | 0xe0d8814fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e0d8820000 | 0xe0d8820000 | 0xe0d8d11fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xe0d8d20000 | 0xe0d9b8ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e0d9b90000 | 0xe0d9b90000 | 0xe0d9da7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xe0d9db0000 | 0xe0dcc45fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e0dcc50000 | 0xe0dcc50000 | 0xe0dd049fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755d00000 | 0x7ff755d00000 | 0x7ff755dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755e00000 | 0x7ff755e00000 | 0x7ff755e22fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff755e25000 | 0x7ff755e25000 | 0x7ff755e25fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755e2e000 | 0x7ff755e2e000 | 0x7ff755e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:09 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:09 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| File | Write | size = 34 |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 787, y_out = 506 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 787, y_out = 506 |
|
1 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
8 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
28 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Get Cursor | x_out = 526, y_out = 541 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 872, y_out = 509 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| System | Get Cursor | x_out = 872, y_out = 509 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 872, y_out = 509 |
|
2 | |
| System | Get Cursor | x_out = 778, y_out = 512 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0xa88, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Get Cursor | x_out = 778, y_out = 512 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:28 |
| Information | Value |
|---|---|
| PID | 0xa88 |
| Parent PID | 0xa5c (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A80
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000010f3550000 | 0x10f3550000 | 0x10f356ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3550000 | 0x10f3550000 | 0x10f355ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3560000 | 0x10f3560000 | 0x10f3566fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3570000 | 0x10f3570000 | 0x10f357efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000010f3580000 | 0x10f3580000 | 0x10f397ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3980000 | 0x10f3980000 | 0x10f3983fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f3990000 | 0x10f3990000 | 0x10f3991fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000010f39a0000 | 0x10f39a0000 | 0x10f39a1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x10f39b0000 | 0x10f3a2dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000010f3a30000 | 0x10f3a30000 | 0x10f3a36fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3a40000 | 0x10f3a40000 | 0x10f3a40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3a50000 | 0x10f3a50000 | 0x10f3a50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3a60000 | 0x10f3a60000 | 0x10f3a60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f3a60000 | 0x10f3a60000 | 0x10f3a63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000010f3a70000 | 0x10f3a70000 | 0x10f3e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3e70000 | 0x10f3e70000 | 0x10f3e71fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000010f3e80000 | 0x10f3e80000 | 0x10f3e86fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3e90000 | 0x10f3e90000 | 0x10f3e90fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3ea0000 | 0x10f3ea0000 | 0x10f3ea0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3eb0000 | 0x10f3eb0000 | 0x10f3eb0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3ec0000 | 0x10f3ec0000 | 0x10f3ec0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f3ec0000 | 0x10f3ec0000 | 0x10f3ec2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f3ed0000 | 0x10f3ed0000 | 0x10f3ed0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3ee0000 | 0x10f3ee0000 | 0x10f3f04fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f3f10000 | 0x10f3f10000 | 0x10f3f1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f3f20000 | 0x10f3f20000 | 0x10f40a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f40b0000 | 0x10f40b0000 | 0x10f4230fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010f4240000 | 0x10f4240000 | 0x10f563ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x10f5640000 | 0x10f56f9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000010f5640000 | 0x10f5640000 | 0x10f572ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000010f5750000 | 0x10f5750000 | 0x10f575ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000010f5760000 | 0x10f5760000 | 0x10f585ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000010f5860000 | 0x10f5860000 | 0x10f5960fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x10f5860000 | 0x10f5b34fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000010f5b40000 | 0x10f5b40000 | 0x10f6031fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x10f6040000 | 0x10f6eaffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000010f6eb0000 | 0x10f6eb0000 | 0x10f70c7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x10f70d0000 | 0x10f9f65fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000010f9f70000 | 0x10f9f70000 | 0x10fa369fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000010fa370000 | 0x10fa370000 | 0x10fa3b3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7564a0000 | 0x7ff7564a0000 | 0x7ff75659ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7565a0000 | 0x7ff7565a0000 | 0x7ff7565c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7565cc000 | 0x7ff7565cc000 | 0x7ff7565cdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7565ce000 | 0x7ff7565ce000 | 0x7ff7565cefff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:11 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:11 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 778, y_out = 512 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 778, y_out = 512 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
2 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
26 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 570, y_out = 547 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 881, y_out = 512 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| System | Get Cursor | x_out = 881, y_out = 512 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7ffe2a59e85c |
|
1 | |
| File | Get Info | filename = C:\PROGRA~1\COMMON~1\, type = file_attributes |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\3123635631, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptGetKeyParam, address_out = 0x7ffe2a5cb750 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 881, y_out = 512 |
|
2 | |
| System | Get Cursor | x_out = 786, y_out = 503 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0x968, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll |
|
1 |
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:26 |
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0xa88 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B98
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000d72ec40000 | 0xd72ec40000 | 0xd72ec5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72ec40000 | 0xd72ec40000 | 0xd72ec4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72ec50000 | 0xd72ec50000 | 0xd72ec56fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72ec60000 | 0xd72ec60000 | 0xd72ec6efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d72ec70000 | 0xd72ec70000 | 0xd72f06ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72f070000 | 0xd72f070000 | 0xd72f073fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f080000 | 0xd72f080000 | 0xd72f081fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d72f090000 | 0xd72f090000 | 0xd72f091fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xd72f0a0000 | 0xd72f11dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000d72f120000 | 0xd72f120000 | 0xd72f126fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f130000 | 0xd72f130000 | 0xd72f130fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f140000 | 0xd72f140000 | 0xd72f140fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72f150000 | 0xd72f150000 | 0xd72f150fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f150000 | 0xd72f150000 | 0xd72f153fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f160000 | 0xd72f160000 | 0xd72f161fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d72f170000 | 0xd72f170000 | 0xd72f176fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f180000 | 0xd72f180000 | 0xd72f180fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72f190000 | 0xd72f190000 | 0xd72f190fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f1a0000 | 0xd72f1a0000 | 0xd72f1affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f1b0000 | 0xd72f1b0000 | 0xd72f1b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72f1c0000 | 0xd72f1c0000 | 0xd72f1c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f1c0000 | 0xd72f1c0000 | 0xd72f1c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f1d0000 | 0xd72f1d0000 | 0xd72f1d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d72f1e0000 | 0xd72f1e0000 | 0xd72f5dffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xd72f5e0000 | 0xd72f699fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d72f5e0000 | 0xd72f5e0000 | 0xd72f6cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d72f6d0000 | 0xd72f6d0000 | 0xd72f6dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d72f6e0000 | 0xd72f6e0000 | 0xd72f867fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72f870000 | 0xd72f870000 | 0xd72f9f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d72fa00000 | 0xd72fa00000 | 0xd730dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d730e00000 | 0xd730e00000 | 0xd730efffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d730f00000 | 0xd730f00000 | 0xd731000fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xd730f00000 | 0xd7311d4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d7311e0000 | 0xd7311e0000 | 0xd7316d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xd7316e0000 | 0xd73254ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d732550000 | 0xd732550000 | 0xd732767fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xd732770000 | 0xd735605fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d735610000 | 0xd735610000 | 0xd735a09fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d735a10000 | 0xd735a10000 | 0xd735a53fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d735a60000 | 0xd735a60000 | 0xd735a84fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff756900000 | 0x7ff756900000 | 0x7ff7569fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff756a00000 | 0x7ff756a00000 | 0x7ff756a22fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff756a24000 | 0x7ff756a24000 | 0x7ff756a24fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff756a2e000 | 0x7ff756a2e000 | 0x7ff756a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffe29350000 | 0x7ffe29384fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffe29760000 | 0x7ffe2977dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffe29990000 | 0x7ffe299b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:14 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:14 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 786, y_out = 503 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 786, y_out = 503 |
|
1 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
25 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
3 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| System | Get Cursor | x_out = 528, y_out = 533 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| System | Get Cursor | x_out = 871, y_out = 503 |
|
1 | |
| Module | Load | module_name = Advapi32.dll, base_address = 0x7ffe2a590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x7ffe2a59f478 |
|
1 | |
| System | Get Cursor | x_out = 871, y_out = 503 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7ffe2a59e86c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = CryptDeriveKey, address_out = 0x7ffe2a5eb060 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 16 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| Window | Create |
|
1 | ||
| System | Get Cursor | x_out = 871, y_out = 503 |
|
2 | |
| System | Get Cursor | x_out = 761, y_out = 513 |
|
1 | |
| Process | Create | process_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, os_pid = 0x338, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL |
|
1 |
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\users\5jghko~1\desktop\wanacr~1.exe |
| Command Line | C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:23 |
| Information | Value |
|---|---|
| PID | 0x338 |
| Parent PID | 0x968 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
37C
0x
764
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000032af250000 | 0x32af250000 | 0x32af26ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032af250000 | 0x32af250000 | 0x32af25ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000032af260000 | 0x32af260000 | 0x32af266fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032af270000 | 0x32af270000 | 0x32af27efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000032af280000 | 0x32af280000 | 0x32af67ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032af680000 | 0x32af680000 | 0x32af683fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032af690000 | 0x32af690000 | 0x32af691fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000032af6a0000 | 0x32af6a0000 | 0x32af6a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000032af6b0000 | 0x32af6b0000 | 0x32af6b6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000032af6c0000 | 0x32af6c0000 | 0x32afabffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x32afac0000 | 0x32afb3dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000032afb40000 | 0x32afb40000 | 0x32afb40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000032afb50000 | 0x32afb50000 | 0x32afb50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000032afb60000 | 0x32afb60000 | 0x32afb6ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032afb70000 | 0x32afb70000 | 0x32afcf7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032afd00000 | 0x32afd00000 | 0x32afe80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032afe90000 | 0x32afe90000 | 0x32b128ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032b1290000 | 0x32b1290000 | 0x32b1290fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032b1290000 | 0x32b1290000 | 0x32b1293fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000032b12a0000 | 0x32b12a0000 | 0x32b12a1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000032b12b0000 | 0x32b12b0000 | 0x32b12b6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000032b12c0000 | 0x32b12c0000 | 0x32b12c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032b12d0000 | 0x32b12d0000 | 0x32b12d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000032b12e0000 | 0x32b12e0000 | 0x32b12e0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032b12f0000 | 0x32b12f0000 | 0x32b12f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000032b1330000 | 0x32b1330000 | 0x32b133ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x32b1340000 | 0x32b13f9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000032b1340000 | 0x32b1340000 | 0x32b142ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000032b1430000 | 0x32b1430000 | 0x32b152ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032b1530000 | 0x32b1530000 | 0x32b1630fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x32b1530000 | 0x32b1804fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000032b1810000 | 0x32b1810000 | 0x32b1c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000032b1c10000 | 0x32b1c10000 | 0x32b2101fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x32b2110000 | 0x32b2f7ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000032b2f80000 | 0x32b2f80000 | 0x32b3197fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff756870000 | 0x7ff756870000 | 0x7ff75696ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff756970000 | 0x7ff756970000 | 0x7ff756992fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff75699b000 | 0x7ff75699b000 | 0x7ff75699bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75699c000 | 0x7ff75699c000 | 0x7ff75699dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75699e000 | 0x7ff75699e000 | 0x7ff75699ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7ff756b50000 | 0x7ff756c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffe21e80000 | 0x7ffe21e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffe22ac0000 | 0x7ffe22ae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffe22af0000 | 0x7ffe22b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffe24b90000 | 0x7ffe24baafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffe24bb0000 | 0x7ffe24e57fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffe24e60000 | 0x7ffe2509ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffe25c20000 | 0x7ffe25c29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffe25c90000 | 0x7ffe25c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffe25f10000 | 0x7ffe25f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffe26510000 | 0x7ffe26525fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffe26550000 | 0x7ffe26564fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffe280b0000 | 0x7ffe28309fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffe28580000 | 0x7ffe285a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffe28760000 | 0x7ffe28800fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffe28ba0000 | 0x7ffe28cc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffe28d20000 | 0x7ffe28d45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffe28d70000 | 0x7ffe28d79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffe29460000 | 0x7ffe2947efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffe29750000 | 0x7ffe2975bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffe29c20000 | 0x7ffe29c44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffe29cb0000 | 0x7ffe29d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffe29e80000 | 0x7ffe29e89fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffe29ea0000 | 0x7ffe29eb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffe2a070000 | 0x7ffe2a17dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffe2a360000 | 0x7ffe2a3a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffe2a3b0000 | 0x7ffe2a520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffe2a530000 | 0x7ffe2a586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffe2a590000 | 0x7ffe2a634fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffe2a640000 | 0x7ffe2a778fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffe2a780000 | 0x7ffe2a836fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffe2a8b0000 | 0x7ffe2a956fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffe2a960000 | 0x7ffe2aaa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffe2aab0000 | 0x7ffe2bebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffe2bf40000 | 0x7ffe2c116fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffe2c1d0000 | 0x7ffe2c203fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffe2c210000 | 0x7ffe2c385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffe2c390000 | 0x7ffe2c4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffe2c4d0000 | 0x7ffe2c527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffe2c710000 | 0x7ffe2c7a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffe2c7b0000 | 0x7ffe2c8e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffe2caa0000 | 0x7ffe2caa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffe2cab0000 | 0x7ffe2cab8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffe2cac0000 | 0x7ffe2cb10fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffe2cb20000 | 0x7ffe2ccc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7ffe2a643de0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x7ffe2a643ea8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x7ffe2a64165c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x7ffe2a64164c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x7ffe2a6434d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x7ffe2a65bba4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x7ffe2a6f8b10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x7ffe2a644020 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x7ffe2a64415c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7ffe2cb4ac78 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffe2cb93808 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7ffe2cb4ba8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x7ffe2a64a4e8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x7ffe2cb97284 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7ffe2cb926cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x7ffe2cbb7300 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffe2cb96e94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x7ffe2cbb6190 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x7ffe2a644780 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x7ffe2a71d040 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x7ffe2a148320 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x7ffe2a71d1c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x7ffe2a6443cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatEx, address_out = 0x7ffe2a71d2b8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x7ffe2a644060 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatEx, address_out = 0x7ffe2a6f8fc0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x7ffe2a644050 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsValidLocaleName, address_out = 0x7ffe2a6441d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7ffe2a643fe0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x7ffe2a07c850 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x7ffe2a641678 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String |
|
1 | ||
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
|
1 | |
| Module | Get Filename | process_name = c:\users\5jghko~1\desktop\wanacr~1.exe, file_name_orig = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, size = 32767 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:16 (UTC) |
|
5 | |
| Debug | Check for Presence | c:\users\5jghko~1\desktop\wanacr~1.exe |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7ffe2a71dbbc |
|
1 | |
| File | Create | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, type = file_type |
|
1 | |
| Module | Load | module_name = C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe, base_address = 0x7ff756b50000 |
|
1 | |
| Module | Load | module_name = kernel32.dll, base_address = 0x7ffe2a640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = Wow64RevertWow64FsRedirection, address_out = 0x7ffe2a71dbcc |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:02:16 (UTC) |
|
8 | |
| Window | Create | window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Window | Create | window_name = WanaCry4, class_name = AutoIt v3 GUI, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 761, y_out = 513 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 40 milliseconds (0.040 seconds) |
|
1 | |
| Window | Create | window_name = Decrypt Files, class_name = button, wndproc_parameter = 0 |
|
1 | |
| Window | Create | class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Module | Load | module_name = user32.dll, base_address = 0x7ffe2a3b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x7ffe2a3b6970 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\log.txt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
2 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\log.txt, size = 65536, size_out = 12874 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x7ffe29751010 |
|
1 | |
| Window | Create | window_name = Your files has been safely encrypted, class_name = static, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Decryptionkey, class_name = edit, wndproc_parameter = 0 |
|
1 | |
| Window | Create | window_name = Buy Bitcoins, class_name = button, wndproc_parameter = 0 |
|
1 | |
| File | Create | filename = C:\PROGRA~1\COMMON~1\1365363213, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 0 |
|
1 | |
| File | Read | filename = C:\PROGRA~1\COMMON~1\1365363213, size = 65536, size_out = 27 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetGetJoinInformation, address_out = 0x7ffe265119a0 |
|
1 | |
| Module | Load | module_name = Netapi32.dll, base_address = 0x7ffe26550000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferSize, address_out = 0x7ffe29755584 |
|
1 | |
| Window | Create | window_name = The only way you can recover your files is to buy a decryption key, Please send the mentioned about of money in bitcoins to the following address bitcoin:1rixKVYiwwtDheLLb7QHEmxF4Nb1Xt1Fq or all files will be deleted in 72 hours,,,,,, After payment Please Contact (shadowbroker_1@protonmail.com) The payment method is: Bitcoins. The price is: $1000 = 0.44407866 Bitcoins Click on the 'Buy decryption key' button., class_name = edit, wndproc_parameter = 0 |
|
1 | |
| System | Get Cursor | x_out = 761, y_out = 513 |
|
1 | |
| System | Get Cursor | x_out = 535, y_out = 536 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
2 | |
| System | Get Cursor | x_out = 535, y_out = 536 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
2 | |
| System | Get Cursor | x_out = 535, y_out = 536 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| System | Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 |
| Information | Value |
|---|---|
| ID | #30 |
| File Name | System |
| Command Line | |
| Initial Working Directory | |
| Monitor | Start Time: 00:01:02, Reason: Kernel Analysis |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:13 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
8
0x
18
0x
14
0x
20
0x
1C
0x
50
0x
30
0x
94
0x
98
0x
9C
0x
A4
0x
A0
0x
C8
0x
3C
0x
D0
0x
D4
0x
DC
0x
A8
0x
E0
0x
E8
0x
7C
0x
B0
0x
F4
0x
AC
0x
108
0x
110
0x
114
0x
11C
0x
128
0x
4C
0x
70
0x
34
0x
40
0x
24
0x
104
0x
80
0x
10
0x
148
0x
118
0x
14C
0x
150
0x
154
0x
15C
0x
160
0x
164
0x
168
0x
1B8
0x
10C
0x
13C
0x
158
0x
6C
0x
38
0x
290
0x
5C
0x
300
0x
68
0x
CC
0x
34C
0x
288
0x
390
0x
398
0x
4F8
0x
5A0
0x
5F8
0x
78
0x
5FC
0x
678
0x
6FC
0x
758
0x
764
0x
768
0x
770
0x
4FC
0x
7CC
0x
644
0x
6F8
0x
8AC
0x
8B0
0x
D8
0x
8F4
0x
918
0x
93C
0x
28
0x
964
0x
988
0x
9AC
0x
9D0
0x
A18
0x
A1C
0x
A48
0x
A6C
0x
A90
0x
AB4
0x
AD8
0x
AFC
0x
B20
0x
B44
0x
B48
0x
B74
0x
B78
0x
B7C
0x
B80
0x
B84
0x
BB8
0x
BC0
0x
BC4
0x
874
0x
83C
0x
120
0x
124
0x
4C4
0x
4C0
0x
878
0x
3CC
0x
3B4
0x
740
0x
238
0x
664
0x
6D4
0x
6D0
0x
6AC
0x
6C8
0x
6E4
0x
6CC
0x
478
0x
7CC
0x
8DC
0x
8D8
0x
8B4
0x
858
0x
508
0x
454
0x
450
0x
504
0x
474
0x
78C
0x
3FC
0x
3F8
0x
8E4
0x
8E8
0x
8E0
0x
7E0
0x
8FC
0x
900
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x0000008bcbee0000 | 0x8bcbee0000 | 0x8bcbf02fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:12 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xec |
| Parent PID | 0x4 (System) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F0
0x
F8
0x
138
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000a5521e0000 | 0xa5521e0000 | 0xa5521fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a552200000 | 0xa552200000 | 0xa55220efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a552210000 | 0xa552210000 | 0xa55228ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7c03f0000 | 0x7ff7c03f0000 | 0x7ff7c0412fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7c041d000 | 0x7ff7c041d000 | 0x7ff7c041efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7c041f000 | 0x7ff7c041f000 | 0x7ff7c041ffff | Private Memory | Readable, Writable |
|
|
|
|
| smss.exe | 0x7ff7c1330000 | 0x7ff7c1354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\system32\autochk.exe |
| Command Line | \??\C:\Windows\system32\autochk.exe * |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:04, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:11 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xfc |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
100
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000d637910000 | 0xd637910000 | 0xd63792ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d637930000 | 0xd637930000 | 0xd63793efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d637940000 | 0xd637940000 | 0xd6379bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff746940000 | 0x7ff746940000 | 0x7ff746962fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff74696d000 | 0x7ff74696d000 | 0x7ff74696efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74696f000 | 0x7ff74696f000 | 0x7ff74696ffff | Private Memory | Readable, Writable |
|
|
|
|
| autochk.exe | 0x7ff7470e0000 | 0x7ff7471bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000000 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x130 |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
134
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000840d080000 | 0x840d080000 | 0x840d09ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000840d0a0000 | 0x840d0a0000 | 0x840d0aefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000840d0b0000 | 0x840d0b0000 | 0x840d12ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7c0cd0000 | 0x7ff7c0cd0000 | 0x7ff7c0cf2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7c0cfc000 | 0x7ff7c0cfc000 | 0x7ff7c0cfdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7c0cfe000 | 0x7ff7c0cfe000 | 0x7ff7c0cfefff | Private Memory | Readable, Writable |
|
|
|
|
| smss.exe | 0x7ff7c1330000 | 0x7ff7c1354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x140 |
| Parent PID | 0x130 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
144
0x
16C
0x
170
0x
174
0x
178
0x
1B0
0x
1C0
0x
1C4
0x
218
0x
30C
0x
BE8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000006793560000 | 0x6793560000 | 0x679357ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793560000 | 0x6793560000 | 0x6793566fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006793570000 | 0x6793570000 | 0x6793572fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006793580000 | 0x6793580000 | 0x679358efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006793590000 | 0x6793590000 | 0x67935cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006793590000 | 0x6793590000 | 0x679359ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| marlett.ttf | 0x67935a0000 | 0x67935a6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000067935b0000 | 0x67935b0000 | 0x67935c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x67935d0000 | 0x679364dfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000006793650000 | 0x6793650000 | 0x6793650fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793660000 | 0x6793660000 | 0x679375ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006793760000 | 0x6793760000 | 0x67938e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000067938f0000 | 0x67938f0000 | 0x6793ce9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006793cf0000 | 0x6793cf0000 | 0x6793cf0fff | Private Memory | Readable, Writable |
|
|
|
|
| vgasys.fon | 0x6793d00000 | 0x6793d01fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006793d10000 | 0x6793d10000 | 0x6793d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793d50000 | 0x6793d50000 | 0x6793d8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793d90000 | 0x6793d90000 | 0x6793dcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793dd0000 | 0x6793dd0000 | 0x6793e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006793e10000 | 0x6793e10000 | 0x6793f97fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006793fa0000 | 0x6793fa0000 | 0x6793fa0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793fb0000 | 0x6793fb0000 | 0x6793feffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006793ff0000 | 0x6793ff0000 | 0x679402ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006794030000 | 0x6794030000 | 0x679406ffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0x6794070000 | 0x679413dfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000006794140000 | 0x6794140000 | 0x679416ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006794170000 | 0x6794170000 | 0x679556ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006795570000 | 0x6795570000 | 0x6795570fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006795580000 | 0x6795580000 | 0x6795580fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795590000 | 0x6795590000 | 0x6795593fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795590000 | 0x6795590000 | 0x6795590fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795590000 | 0x6795590000 | 0x679559ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067955a0000 | 0x67955a0000 | 0x67955affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000067955b0000 | 0x67955b0000 | 0x67955effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067955f0000 | 0x67955f0000 | 0x67955f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067955f0000 | 0x67955f0000 | 0x67955fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795600000 | 0x6795600000 | 0x679560ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795610000 | 0x6795610000 | 0x6795610fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795610000 | 0x6795610000 | 0x679561ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006795620000 | 0x6795620000 | 0x679565ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795660000 | 0x6795660000 | 0x679571ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006795720000 | 0x6795720000 | 0x679572ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795730000 | 0x6795730000 | 0x67957effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000067957f0000 | 0x67957f0000 | 0x67957fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795800000 | 0x6795800000 | 0x679580ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795810000 | 0x6795810000 | 0x679581ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795820000 | 0x6795820000 | 0x67958dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000067958e0000 | 0x67958e0000 | 0x67958e2fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067958e0000 | 0x67958e0000 | 0x67958effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067958e0000 | 0x67958e0000 | 0x67958e3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067958e0000 | 0x67958e0000 | 0x67958e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067958f0000 | 0x67958f0000 | 0x67958f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000067958f0000 | 0x67958f0000 | 0x67958fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795900000 | 0x6795900000 | 0x6795900fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795900000 | 0x6795900000 | 0x679590ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795910000 | 0x6795910000 | 0x6795911fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795910000 | 0x6795910000 | 0x679591ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795920000 | 0x6795920000 | 0x679592ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795920000 | 0x6795920000 | 0x6795920fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795930000 | 0x6795930000 | 0x679593ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795940000 | 0x6795940000 | 0x6795941fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006795940000 | 0x6795940000 | 0x6795942fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6d8a000 | 0x7ff6e6d8a000 | 0x7ff6e6d8bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6d8c000 | 0x7ff6e6d8c000 | 0x7ff6e6d8dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6d8e000 | 0x7ff6e6d8e000 | 0x7ff6e6d8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6e6d90000 | 0x7ff6e6d90000 | 0x7ff6e6e8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6e6e90000 | 0x7ff6e6e90000 | 0x7ff6e6eb2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6e6eb3000 | 0x7ff6e6eb3000 | 0x7ff6e6eb4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6eb5000 | 0x7ff6e6eb5000 | 0x7ff6e6eb6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6eb7000 | 0x7ff6e6eb7000 | 0x7ff6e6eb8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6eb9000 | 0x7ff6e6eb9000 | 0x7ff6e6ebafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6ebb000 | 0x7ff6e6ebb000 | 0x7ff6e6ebcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6ebd000 | 0x7ff6e6ebd000 | 0x7ff6e6ebefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e6ebf000 | 0x7ff6e6ebf000 | 0x7ff6e6ebffff | Private Memory | Readable, Writable |
|
|
|
|
| csrss.exe | 0x7ff6e7a10000 | 0x7ff6e7a16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sxs.dll | 0x7ffd1cba0000 | 0x7ffd1cc36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sxssrv.dll | 0x7ffd1ccc0000 | 0x7ffd1ccccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsrv.dll | 0x7ffd1ccd0000 | 0x7ffd1cd01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| basesrv.dll | 0x7ffd1cd10000 | 0x7ffd1cd22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| csrsrv.dll | 0x7ffd1cd30000 | 0x7ffd1cd45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000001 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:07 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x17c |
| Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
180
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000ce561d0000 | 0xce561d0000 | 0xce561effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ce561f0000 | 0xce561f0000 | 0xce561fefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ce56200000 | 0xce56200000 | 0xce5627ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7c0730000 | 0x7ff7c0730000 | 0x7ff7c0752fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7c075d000 | 0x7ff7c075d000 | 0x7ff7c075efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7c075f000 | 0x7ff7c075f000 | 0x7ff7c075ffff | Private Memory | Readable, Writable |
|
|
|
|
| smss.exe | 0x7ff7c1330000 | 0x7ff7c1354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:07 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x184 |
| Parent PID | 0x130 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
188
0x
1B4
0x
1BC
0x
1C8
0x
200
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000004ce1860000 | 0x4ce1860000 | 0x4ce187ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004ce1860000 | 0x4ce1860000 | 0x4ce186ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1870000 | 0x4ce1870000 | 0x4ce1876fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004ce1880000 | 0x4ce1880000 | 0x4ce188efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004ce1890000 | 0x4ce1890000 | 0x4ce190ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1910000 | 0x4ce1910000 | 0x4ce1a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1910000 | 0x4ce1910000 | 0x4ce1916fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004ce1920000 | 0x4ce1920000 | 0x4ce1922fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004ce1930000 | 0x4ce1930000 | 0x4ce1930fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1940000 | 0x4ce1940000 | 0x4ce1940fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1950000 | 0x4ce1950000 | 0x4ce1950fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1960000 | 0x4ce1960000 | 0x4ce1a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x4ce1a60000 | 0x4ce1addfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004ce1ae0000 | 0x4ce1ae0000 | 0x4ce1c7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1ae0000 | 0x4ce1ae0000 | 0x4ce1b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1ae0000 | 0x4ce1ae0000 | 0x4ce1b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1b60000 | 0x4ce1b60000 | 0x4ce1b60fff | Private Memory | Readable, Writable |
|
|
|
|
| user32.dll.mui | 0x4ce1b60000 | 0x4ce1b64fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004ce1b70000 | 0x4ce1b70000 | 0x4ce1b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004ce1b80000 | 0x4ce1b80000 | 0x4ce1bfffff | Private Memory | Readable, Writable |
|
|
|
|
| user32.dll.mui | 0x4ce1c00000 | 0x4ce1c04fff | Memory Mapped File | Readable |
|
|
|
|
| aero_arrow.cur | 0x4ce1c00000 | 0x4ce1c07fff | Memory Mapped File | Readable |
|
|
|
|
| aero_up.cur | 0x4ce1c00000 | 0x4ce1c07fff | Memory Mapped File | Readable |
|
|
|
|
| aero_helpsel.cur | 0x4ce1c00000 | 0x4ce1c07fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004ce1c00000 | 0x4ce1c00000 | 0x4ce1c00fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004ce1c10000 | 0x4ce1c10000 | 0x4ce1c3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004ce1c70000 | 0x4ce1c70000 | 0x4ce1c7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004ce1c80000 | 0x4ce1c80000 | 0x4ce1e07fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004ce1e10000 | 0x4ce1e10000 | 0x4ce1f90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004ce1fa0000 | 0x4ce1fa0000 | 0x4ce2399fff | Pagefile Backed Memory | Readable |
|
|
|
|
| aero_busy.ani | 0x4ce1fa0000 | 0x4ce2027fff | Memory Mapped File | Readable |
|
|
|
|
| aero_working.ani | 0x4ce1fa0000 | 0x4ce2027fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004ce1fa0000 | 0x4ce1fa0000 | 0x4ce339ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| malgun.ttf | 0x4ce23a0000 | 0x4ce2cc6fff | Memory Mapped File | Readable |
|
|
|
|
| msyh.ttc | 0x4ce23a0000 | 0x4ce3841fff | Memory Mapped File | Readable |
|
|
|
|
| batang.ttc | 0x4ce23a0000 | 0x4ce3322fff | Memory Mapped File | Readable |
|
|
|
|
| malgunbd.ttf | 0x4ce23a0000 | 0x4ce2c21fff | Memory Mapped File | Readable |
|
|
|
|
| segoeuib.ttf | 0x4ce23a0000 | 0x4ce246bfff | Memory Mapped File | Readable |
|
|
|
|
| msmincho.ttc | 0x4ce23a0000 | 0x4ce2d3dfff | Memory Mapped File | Readable |
|
|
|
|
| segoeui.ttf | 0x4ce23a0000 | 0x4ce246dfff | Memory Mapped File | Readable |
|
|
|
|
| tahoma.ttf | 0x4ce23a0000 | 0x4ce2456fff | Memory Mapped File | Readable |
|
|
|
|
| simsun.ttc | 0x4ce23a0000 | 0x4ce3509fff | Memory Mapped File | Readable |
|
|
|
|
| meiryob.ttc | 0x4ce23a0000 | 0x4ce2ceafff | Memory Mapped File | Readable |
|
|
|
|
| msgothic.ttc | 0x4ce23a0000 | 0x4ce2c68fff | Memory Mapped File | Readable |
|
|
|
|
| gulim.ttc | 0x4ce23a0000 | 0x4ce3085fff | Memory Mapped File | Readable |
|
|
|
|
| msjhbd.ttc | 0x4ce23a0000 | 0x4ce3164fff | Memory Mapped File | Readable |
|
|
|
|
| msyhbd.ttc | 0x4ce23a0000 | 0x4ce316afff | Memory Mapped File | Readable |
|
|
|
|
| micross.ttf | 0x4ce23a0000 | 0x4ce2442fff | Memory Mapped File | Readable |
|
|
|
|
| mingliu.ttc | 0x4ce23a0000 | 0x4ce3ddbfff | Memory Mapped File | Readable |
|
|
|
|
| msjh.ttc | 0x4ce23a0000 | 0x4ce381cfff | Memory Mapped File | Readable |
|
|
|
|
| meiryo.ttc | 0x4ce23a0000 | 0x4ce2cb5fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004ce33a0000 | 0x4ce33a0000 | 0x4ce341ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x4ce3420000 | 0x4ce36f4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00007ff7b2260000 | 0x7ff7b2260000 | 0x7ff7b235ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7b2360000 | 0x7ff7b2360000 | 0x7ff7b2382fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7b2386000 | 0x7ff7b2386000 | 0x7ff7b2387fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7b2388000 | 0x7ff7b2388000 | 0x7ff7b2389fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7b238a000 | 0x7ff7b238a000 | 0x7ff7b238bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7b238c000 | 0x7ff7b238c000 | 0x7ff7b238cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7b238e000 | 0x7ff7b238e000 | 0x7ff7b238ffff | Private Memory | Readable, Writable |
|
|
|
|
| wininit.exe | 0x7ff7b26f0000 | 0x7ff7b2715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kbdus.dll | 0x7ffd1cc30000 | 0x7ffd1cc33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wls0wndh.dll | 0x7ffd1cc30000 | 0x7ffd1cc37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininitext.dll | 0x7ffd1cc40000 | 0x7ffd1cc49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:07 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x18c |
| Parent PID | 0x17c (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
190
0x
194
0x
198
0x
19C
0x
1A0
0x
1A4
0x
1EC
0x
1F8
0x
1FC
0x
21C
0x
280
0x
2A4
0x
BEC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000e7edcf0000 | 0xe7edcf0000 | 0xe7edd0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7edcf0000 | 0xe7edcf0000 | 0xe7edcf6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7edd00000 | 0xe7edd00000 | 0xe7edd02fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e7edd10000 | 0xe7edd10000 | 0xe7edd1efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e7edd20000 | 0xe7edd20000 | 0xe7edd5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7edd20000 | 0xe7edd20000 | 0xe7edd2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| marlett.ttf | 0xe7edd30000 | 0xe7edd36fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e7edd40000 | 0xe7edd40000 | 0xe7edd57fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0xe7edd60000 | 0xe7eddddfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e7edde0000 | 0xe7edde0000 | 0xe7edde0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eddf0000 | 0xe7eddf0000 | 0xe7eddf0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7ede00000 | 0xe7ede00000 | 0xe7ede00fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7ede10000 | 0xe7ede10000 | 0xe7ede10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7ede20000 | 0xe7ede20000 | 0xe7ede20fff | Private Memory | Readable, Writable |
|
|
|
|
| vgasys.fon | 0xe7ede30000 | 0xe7ede31fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e7ede40000 | 0xe7ede40000 | 0xe7ede7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7ede80000 | 0xe7ede80000 | 0xe7ede80fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7ede90000 | 0xe7ede90000 | 0xe7edf8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7edf90000 | 0xe7edf90000 | 0xe7ee110fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e7ee120000 | 0xe7ee120000 | 0xe7ee519fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e7ee520000 | 0xe7ee520000 | 0xe7eea11fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee520000 | 0xe7ee520000 | 0xe7ee520fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee520000 | 0xe7ee520000 | 0xe7ee522fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee520000 | 0xe7ee520000 | 0xe7ee523fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee520000 | 0xe7ee520000 | 0xe7ee52ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee530000 | 0xe7ee530000 | 0xe7ee532fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee530000 | 0xe7ee530000 | 0xe7ee53ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee540000 | 0xe7ee540000 | 0xe7ee54ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee550000 | 0xe7ee550000 | 0xe7ee55ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee550000 | 0xe7ee550000 | 0xe7ee552fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee550000 | 0xe7ee550000 | 0xe7ee551fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee560000 | 0xe7ee560000 | 0xe7ee562fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee560000 | 0xe7ee560000 | 0xe7ee560fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee570000 | 0xe7ee570000 | 0xe7ee5a8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5b0000 | 0xe7ee5b0000 | 0xe7ee5b2fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5b0000 | 0xe7ee5b0000 | 0xe7ee5b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5b0000 | 0xe7ee5b0000 | 0xe7ee5bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5c0000 | 0xe7ee5c0000 | 0xe7ee5cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5c0000 | 0xe7ee5c0000 | 0xe7ee5e4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5d0000 | 0xe7ee5d0000 | 0xe7ee5d2fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5d0000 | 0xe7ee5d0000 | 0xe7ee5d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5d0000 | 0xe7ee5d0000 | 0xe7ee5dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5e0000 | 0xe7ee5e0000 | 0xe7ee5effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5f0000 | 0xe7ee5f0000 | 0xe7ee5fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5f0000 | 0xe7ee5f0000 | 0xe7ee5f2fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee5f0000 | 0xe7ee5f0000 | 0xe7ee5f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee600000 | 0xe7ee600000 | 0xe7ee600fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee610000 | 0xe7ee610000 | 0xe7ee612fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee610000 | 0xe7ee610000 | 0xe7ee61ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| micross.ttf | 0xe7ee610000 | 0xe7ee6b2fff | Memory Mapped File | Readable |
|
|
|
|
| arialbd.ttf | 0xe7ee6c0000 | 0xe7ee790fff | Memory Mapped File | Readable |
|
|
|
|
| calibrib.ttf | 0xe7ee7a0000 | 0xe7ee86ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e7ee870000 | 0xe7ee870000 | 0xe7ee8affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7ee8c0000 | 0xe7ee8c0000 | 0xe7ee8e4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eea20000 | 0xe7eea20000 | 0xe7eea5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eea60000 | 0xe7eea60000 | 0xe7eea9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eeaa0000 | 0xe7eeaa0000 | 0xe7eeadffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7eeae0000 | 0xe7eeae0000 | 0xe7eec67fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e7eec70000 | 0xe7eec70000 | 0xe7eecaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eecb0000 | 0xe7eecb0000 | 0xe7eeceffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7eecf0000 | 0xe7eecf0000 | 0xe7eed2ffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0xe7eed30000 | 0xe7eedfdfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e7eee00000 | 0xe7eee00000 | 0xe7eee2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e7eee30000 | 0xe7eee30000 | 0xe7f022ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e7f0230000 | 0xe7f0230000 | 0xe7f026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7f0270000 | 0xe7f0270000 | 0xe7f02affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7f02b0000 | 0xe7f02b0000 | 0xe7f02b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7f02c0000 | 0xe7f02c0000 | 0xe7f02c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f02d0000 | 0xe7f02d0000 | 0xe7f02d3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e7f02d0000 | 0xe7f02d0000 | 0xe7f030ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0310000 | 0xe7f0310000 | 0xe7f0313fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0310000 | 0xe7f0310000 | 0xe7f0312fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0310000 | 0xe7f0310000 | 0xe7f031ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0320000 | 0xe7f0320000 | 0xe7f032ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0330000 | 0xe7f0330000 | 0xe7f0332fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0330000 | 0xe7f0330000 | 0xe7f0331fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xe7f0330000 | 0xe7f0330fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e7f0330000 | 0xe7f0330000 | 0xe7f0821fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0340000 | 0xe7f0340000 | 0xe7f0341fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e7f0830000 | 0xe7f0830000 | 0xe7f0a47fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e71f8000 | 0x7ff6e71f8000 | 0x7ff6e71f9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e71fa000 | 0x7ff6e71fa000 | 0x7ff6e71fbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e71fc000 | 0x7ff6e71fc000 | 0x7ff6e71fdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e71fe000 | 0x7ff6e71fe000 | 0x7ff6e71fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6e7200000 | 0x7ff6e7200000 | 0x7ff6e72fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6e7300000 | 0x7ff6e7300000 | 0x7ff6e7322fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6e7323000 | 0x7ff6e7323000 | 0x7ff6e7324fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e7325000 | 0x7ff6e7325000 | 0x7ff6e7326fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e7327000 | 0x7ff6e7327000 | 0x7ff6e7328fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e7329000 | 0x7ff6e7329000 | 0x7ff6e732afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e732b000 | 0x7ff6e732b000 | 0x7ff6e732cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e732d000 | 0x7ff6e732d000 | 0x7ff6e732efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6e732f000 | 0x7ff6e732f000 | 0x7ff6e732ffff | Private Memory | Readable, Writable |
|
|
|
|
| csrss.exe | 0x7ff6e7a10000 | 0x7ff6e7a16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sxs.dll | 0x7ffd1cba0000 | 0x7ffd1cc36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sxssrv.dll | 0x7ffd1ccc0000 | 0x7ffd1ccccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsrv.dll | 0x7ffd1ccd0000 | 0x7ffd1cd01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| basesrv.dll | 0x7ffd1cd10000 | 0x7ffd1cd22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| csrsrv.dll | 0x7ffd1cd30000 | 0x7ffd1cd45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x1a8 |
| Parent PID | 0x17c (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1AC
0x
1F0
0x
1F4
0x
288
0x
28C
0x
2A8
0x
3DC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000d600000000 | 0xd600000000 | 0xd600000fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d6b0000 | 0xd67d6b0000 | 0xd67d6cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67d6b0000 | 0xd67d6b0000 | 0xd67d6bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d6c0000 | 0xd67d6c0000 | 0xd67d6c6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67d6d0000 | 0xd67d6d0000 | 0xd67d6defff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67d6e0000 | 0xd67d6e0000 | 0xd67d75ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xd67d760000 | 0xd67d7ddfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000d67d7e0000 | 0xd67d7e0000 | 0xd67d7e6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xd67d7f0000 | 0xd67d823fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d67d7f0000 | 0xd67d7f0000 | 0xd67d7f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67d800000 | 0xd67d800000 | 0xd67d800fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d810000 | 0xd67d810000 | 0xd67d810fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d820000 | 0xd67d820000 | 0xd67d820fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d830000 | 0xd67d830000 | 0xd67d8affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d8b0000 | 0xd67d8b0000 | 0xd67d8b0fff | Private Memory | Readable, Writable |
|
|
|
|
| user32.dll.mui | 0xd67d8b0000 | 0xd67d8b4fff | Memory Mapped File | Readable |
|
|
|
|
| user32.dll.mui | 0xd67d8c0000 | 0xd67d8c4fff | Memory Mapped File | Readable |
|
|
|
|
| aero_arrow.cur | 0xd67d8c0000 | 0xd67d8c7fff | Memory Mapped File | Readable |
|
|
|
|
| aero_up.cur | 0xd67d8c0000 | 0xd67d8c7fff | Memory Mapped File | Readable |
|
|
|
|
| aero_helpsel.cur | 0xd67d8c0000 | 0xd67d8c7fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000d67d8c0000 | 0xd67d8c0000 | 0xd67d8c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67d8c0000 | 0xd67d8c0000 | 0xd67d8c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67d8c0000 | 0xd67d8c0000 | 0xd67d8c3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67d8c0000 | 0xd67d8c0000 | 0xd67d8c1fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67d8d0000 | 0xd67d8d0000 | 0xd67d8fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67d900000 | 0xd67d900000 | 0xd67d917fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67d920000 | 0xd67d920000 | 0xd67da1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67da20000 | 0xd67da20000 | 0xd67dbbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67da20000 | 0xd67da20000 | 0xd67dba7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67dbb0000 | 0xd67dbb0000 | 0xd67dbbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dbc0000 | 0xd67dbc0000 | 0xd67dd40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67dd50000 | 0xd67dd50000 | 0xd67e149fff | Pagefile Backed Memory | Readable |
|
|
|
|
| aero_busy.ani | 0xd67dd50000 | 0xd67ddd7fff | Memory Mapped File | Readable |
|
|
|
|
| aero_working.ani | 0xd67dd50000 | 0xd67ddd7fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000d67dd50000 | 0xd67dd50000 | 0xd67dedffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dd50000 | 0xd67dd50000 | 0xd67dd8bfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67dd50000 | 0xd67dd50000 | 0xd67deb8fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dd50000 | 0xd67dd50000 | 0xd67de3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67dd50000 | 0xd67dd50000 | 0xd67ddcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67dd50000 | 0xd67dd50000 | 0xd67dd50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dd50000 | 0xd67dd50000 | 0xd67dd50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| aero_arrow.cur | 0xd67dd50000 | 0xd67dd57fff | Memory Mapped File | Readable |
|
|
|
|
| aero_up.cur | 0xd67dd50000 | 0xd67dd57fff | Memory Mapped File | Readable |
|
|
|
|
| aero_helpsel.cur | 0xd67dd50000 | 0xd67dd57fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d67dd50000 | 0xd67dd50000 | 0xd67dd53fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67dd60000 | 0xd67dd60000 | 0xd67dd60fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67dd70000 | 0xd67dd70000 | 0xd67dd70fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dd70000 | 0xd67dd70000 | 0xd67dd70fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67dd70000 | 0xd67dd70000 | 0xd67dd73fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67dd90000 | 0xd67dd90000 | 0xd67ddcbfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67ddd0000 | 0xd67ddd0000 | 0xd67de4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67de40000 | 0xd67de40000 | 0xd67de40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sysmain.sdb | 0xd67de50000 | 0xd67deb3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000d67de50000 | 0xd67de50000 | 0xd67de50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67de50000 | 0xd67de50000 | 0xd67decffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67ded0000 | 0xd67ded0000 | 0xd67dedffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67dee0000 | 0xd67dee0000 | 0xd67dfcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67dee0000 | 0xd67dee0000 | 0xd67dfdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000d67dfe0000 | 0xd67dfe0000 | 0xd67e05ffff | Private Memory | Readable, Writable |
|
|
|
|
| aero_busy.ani | 0xd67dfe0000 | 0xd67e067fff | Memory Mapped File | Readable |
|
|
|
|
| aero_working.ani | 0xd67dfe0000 | 0xd67e067fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d67dfe0000 | 0xd67dfe0000 | 0xd67e0cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000d67e150000 | 0xd67e150000 | 0xd67e1cffff | Private Memory | Readable, Writable |
|
|
|
|
| malgun.ttf | 0xd67e1d0000 | 0xd67eaf6fff | Memory Mapped File | Readable |
|
|
|
|
| msyh.ttc | 0xd67e1d0000 | 0xd67f671fff | Memory Mapped File | Readable |
|
|
|
|
| batang.ttc | 0xd67e1d0000 | 0xd67f152fff | Memory Mapped File | Readable |
|
|
|
|
| malgunbd.ttf | 0xd67e1d0000 | 0xd67ea51fff | Memory Mapped File | Readable |
|
|
|
|
| segoeuib.ttf | 0xd67e1d0000 | 0xd67e29bfff | Memory Mapped File | Readable |
|
|
|
|
| msmincho.ttc | 0xd67e1d0000 | 0xd67eb6dfff | Memory Mapped File | Readable |
|
|
|
|
| segoeui.ttf | 0xd67e1d0000 | 0xd67e29dfff | Memory Mapped File | Readable |
|
|
|
|
| tahoma.ttf | 0xd67e1d0000 | 0xd67e286fff | Memory Mapped File | Readable |
|
|
|
|
| simsun.ttc | 0xd67e1d0000 | 0xd67f339fff | Memory Mapped File | Readable |
|
|
|
|
| meiryob.ttc | 0xd67e1d0000 | 0xd67eb1afff | Memory Mapped File | Readable |
|
|
|
|
| msgothic.ttc | 0xd67e1d0000 | 0xd67ea98fff | Memory Mapped File | Readable |
|
|
|
|
| gulim.ttc | 0xd67e1d0000 | 0xd67eeb5fff | Memory Mapped File | Readable |
|
|
|
|
| msjhbd.ttc | 0xd67e1d0000 | 0xd67ef94fff | Memory Mapped File | Readable |
|
|
|
|
| msyhbd.ttc | 0xd67e1d0000 | 0xd67ef9afff | Memory Mapped File | Readable |
|
|
|
|
| micross.ttf | 0xd67e1d0000 | 0xd67e272fff | Memory Mapped File | Readable |
|
|
|
|
| mingliu.ttc | 0xd67e1d0000 | 0xd67fc0bfff | Memory Mapped File | Readable |
|
|
|
|
| msjh.ttc | 0xd67e1d0000 | 0xd67f64cfff | Memory Mapped File | Readable |
|
|
|
|
| meiryo.ttc | 0xd67e1d0000 | 0xd67eae5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d67e1d0000 | 0xd67e1d0000 | 0xd67e456fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000d67e460000 | 0xd67e460000 | 0xd67e6e6fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67e460000 | 0xd67e460000 | 0xd67f85ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xd67f860000 | 0xd67fb34fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000d67fb40000 | 0xd67fb40000 | 0xd67ff39fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000d67fb40000 | 0xd67fb40000 | 0xd67fc2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff78dcc0000 | 0x7ff78dcc0000 | 0x7ff78ddbffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff78ddc0000 | 0x7ff78ddc0000 | 0x7ff78dde2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff78dde3000 | 0x7ff78dde3000 | 0x7ff78dde3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78dde4000 | 0x7ff78dde4000 | 0x7ff78dde5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78dde6000 | 0x7ff78dde6000 | 0x7ff78dde7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78dde8000 | 0x7ff78dde8000 | 0x7ff78dde9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78ddea000 | 0x7ff78ddea000 | 0x7ff78ddebfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78ddec000 | 0x7ff78ddec000 | 0x7ff78ddedfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff78ddee000 | 0x7ff78ddee000 | 0x7ff78ddeffff | Private Memory | Readable, Writable |
|
|
|
|
| winlogon.exe | 0x7ff78e180000 | 0x7ff78e20ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwm.exe | 0x7ff7f8670000 | 0x7ff7f868ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kbdus.dll | 0x7ffd17a30000 | 0x7ffd17a33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpapi.dll | 0x7ffd1b9e0000 | 0x7ffd1b9e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxinit.dll | 0x7ffd1bb50000 | 0x7ffd1bb65fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kbdus.dll | 0x7ffd1c5d0000 | 0x7ffd1c5d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kbdus.dll | 0x7ffd1c7f0000 | 0x7ffd1c7f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winlogonext.dll | 0x7ffd1cb80000 | 0x7ffd1cb97fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x1cc |
| Parent PID | 0x184 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1D0
0x
220
0x
224
0x
23C
0x
26C
0x
2F4
0x
31C
0x
3E0
0x
3E8
0x
650
0x
790
0x
794
0x
798
0x
79C
0x
840
0x
234
0x
6A8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| armsvc.exe | 0x013a0000 | 0x013b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000004c4fbe0000 | 0x4c4fbe0000 | 0x4c4fbfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004c4fbe0000 | 0x4c4fbe0000 | 0x4c4fbeffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c4fbf0000 | 0x4c4fbf0000 | 0x4c4fbf6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004c4fc00000 | 0x4c4fc00000 | 0x4c4fc0efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004c4fc10000 | 0x4c4fc10000 | 0x4c4fc8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004c4fc90000 | 0x4c4fc90000 | 0x4c4fc93fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004c4fca0000 | 0x4c4fca0000 | 0x4c4fca0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004c4fcb0000 | 0x4c4fcb0000 | 0x4c4fcb6fff | Private Memory | Readable, Writable |
|
|
|
|
| 1394.pnf | 0x4c4fcc0000 | 0x4c4fcc4fff | Memory Mapped File | Readable |
|
|
|
|
| acpi.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| acpipagr.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| acpipmi.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| cpu.pnf | 0x4c4fcc0000 | 0x4c4fcc6fff | Memory Mapped File | Readable |
|
|
|
|
| arcsas.pnf | 0x4c4fcc0000 | 0x4c4fccefff | Memory Mapped File | Readable |
|
|
|
|
| netbvbda.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| bcmfn2.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| bthaudhid.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| bthspp.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| cdrom.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| circlass.pnf | 0x4c4fcc0000 | 0x4c4fcc5fff | Memory Mapped File | Readable |
|
|
|
|
| cmbatt.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| compositebus.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| disk.pnf | 0x4c4fcc0000 | 0x4c4fcc4fff | Memory Mapped File | Readable |
|
|
|
|
| wdmaudio.pnf | 0x4c4fcc0000 | 0x4c4fcc5fff | Memory Mapped File | Readable |
|
|
|
|
| ehstortcgdrv.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| errdev.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| fdc.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| flpydisk.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| wgencounter.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| hdaudbus.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| hidbatt.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| hidbth.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| hidir.pnf | 0x4c4fcc0000 | 0x4c4fcc8fff | Memory Mapped File | Readable |
|
|
|
|
| ialpssi_gpio.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| ialpssi_i2c.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| iastorv.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| intelpep.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| iscsi.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| kdnic.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| msgpiowin32.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| ksfilter.pnf | 0x4c4fcc0000 | 0x4c4fcc4fff | Memory Mapped File | Readable |
|
|
|
|
| mssmbios.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| mtconfig.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| ndisuio.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| msports.pnf | 0x4c4fcc0000 | 0x4c4fcc8fff | Memory Mapped File | Readable |
|
|
|
|
| rdpbus.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| sbp2.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| sdstor.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| spaceport.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| stornvme.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| swenum.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| netip6.pnf | 0x4c4fcc0000 | 0x4c4fcc4fff | Memory Mapped File | Readable |
|
|
|
|
| termmou.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| tpm.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| tsgenericusbdriver.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| nettun.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| uaspstor.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| umbus.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| umpass.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| usbcir.pnf | 0x4c4fcc0000 | 0x4c4fccefff | Memory Mapped File | Readable |
|
|
|
|
| usbhub3.pnf | 0x4c4fcc0000 | 0x4c4fcc4fff | Memory Mapped File | Readable |
|
|
|
|
| usbprint.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| usbstor.pnf | 0x4c4fcc0000 | 0x4c4fccefff | Memory Mapped File | Readable |
|
|
|
|
| usbxhci.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| vdrvroot.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| volmgr.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| volume.pnf | 0x4c4fcc0000 | 0x4c4fcc1fff | Memory Mapped File | Readable |
|
|
|
|
| wvpcivsp.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| wmiacpi.pnf | 0x4c4fcc0000 | 0x4c4fcc2fff | Memory Mapped File | Readable |
|
|
|
|
| hidbthle.pnf | 0x4c4fcc0000 | 0x4c4fcc3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004c4fcc0000 | 0x4c4fcc0000 | 0x4c4fcc7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c4fcd0000 | 0x4c4fcd0000 | 0x4c4fdcffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x4c4fdd0000 | 0x4c4fe4dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004c4fe50000 | 0x4c4fe50000 | 0x4c5000ffff | Private Memory | Readable, Writable |
|
|
|
|
| machine.pnf | 0x4c4fe50000 | 0x4c4ff2ffff | Memory Mapped File | Readable |
|
|
|
|
| mshdc.pnf | 0x4c4fe50000 | 0x4c4fe60fff | Memory Mapped File | Readable |
|
|
|
|
| net1ic64.pnf | 0x4c4fe50000 | 0x4c4fe6afff | Memory Mapped File | Readable |
|
|
|
|
| netevbda.pnf | 0x4c4fe50000 | 0x4c4fe6dfff | Memory Mapped File | Readable |
|
|
|
|
| hdaudio.pnf | 0x4c4fe50000 | 0x4c4fe6ffff | Memory Mapped File | Readable |
|
|
|
|
| input.pnf | 0x4c4fe50000 | 0x4c4fe73fff | Memory Mapped File | Readable |
|
|
|
|
| keyboard.pnf | 0x4c4fe50000 | 0x4c4fe6dfff | Memory Mapped File | Readable |
|
|
|
|
| monitor.pnf | 0x4c4fe50000 | 0x4c4ff68fff | Memory Mapped File | Readable |
|
|
|
|
| msmouse.pnf | 0x4c4fe50000 | 0x4c4fe66fff | Memory Mapped File | Readable |
|
|
|
|
| usb.pnf | 0x4c4fe50000 | 0x4c4fe61fff | Memory Mapped File | Readable |
|
|
|
|
| usbport.pnf | 0x4c4fe50000 | 0x4c4fe72fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004c4fe50000 | 0x4c4fe50000 | 0x4c4fecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c4fed0000 | 0x4c4fed0000 | 0x4c4ff4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004c4ff50000 | 0x4c4ff50000 | 0x4c4ff52fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004c4ff60000 | 0x4c4ff60000 | 0x4c4ff60fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c4ff70000 | 0x4c4ff70000 | 0x4c4ffeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c4fff0000 | 0x4c4fff0000 | 0x4c4fff1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50000000 | 0x4c50000000 | 0x4c5000ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x4c50010000 | 0x4c502e4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004c502f0000 | 0x4c502f0000 | 0x4c506e9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004c506f0000 | 0x4c506f0000 | 0x4c5076ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50770000 | 0x4c50770000 | 0x4c507effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c507f0000 | 0x4c507f0000 | 0x4c5086ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50870000 | 0x4c50870000 | 0x4c508effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c508f0000 | 0x4c508f0000 | 0x4c5096ffff | Private Memory | Readable, Writable |
|
|
|
|
| sysmain.sdb | 0x4c50970000 | 0x4c50d07fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004c50970000 | 0x4c50970000 | 0x4c509effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c509f0000 | 0x4c509f0000 | 0x4c50aeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50af0000 | 0x4c50af0000 | 0x4c50b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50b70000 | 0x4c50b70000 | 0x4c50beffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004c50bf0000 | 0x4c50bf0000 | 0x4c50c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754520000 | 0x7ff754520000 | 0x7ff754521fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754522000 | 0x7ff754522000 | 0x7ff754523fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754524000 | 0x7ff754524000 | 0x7ff754525fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754526000 | 0x7ff754526000 | 0x7ff754527fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754528000 | 0x7ff754528000 | 0x7ff754529fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75452a000 | 0x7ff75452a000 | 0x7ff75452bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75452c000 | 0x7ff75452c000 | 0x7ff75452dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75452e000 | 0x7ff75452e000 | 0x7ff75452ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff754530000 | 0x7ff754530000 | 0x7ff75462ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff754630000 | 0x7ff754630000 | 0x7ff754652fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff754654000 | 0x7ff754654000 | 0x7ff754655fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754656000 | 0x7ff754656000 | 0x7ff754656fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff754658000 | 0x7ff754658000 | 0x7ff754659fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75465a000 | 0x7ff75465a000 | 0x7ff75465bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75465c000 | 0x7ff75465c000 | 0x7ff75465dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75465e000 | 0x7ff75465e000 | 0x7ff75465ffff | Private Memory | Readable, Writable |
|
|
|
|
| services.exe | 0x7ff755150000 | 0x7ff7551b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| authz.dll | 0x7ffd1bf60000 | 0x7ffd1bfa7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| scesrv.dll | 0x7ffd1bfb0000 | 0x7ffd1c037fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| spinf.dll | 0x7ffd1c040000 | 0x7ffd1c05cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| eventaggregation.dll | 0x7ffd1c090000 | 0x7ffd1c09afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dabapi.dll | 0x7ffd1c0a0000 | 0x7ffd1c0a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| scext.dll | 0x7ffd1c100000 | 0x7ffd1c10ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x1d4 |
| Parent PID | 0x184 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1D8
0x
1DC
0x
1E0
0x
1E4
0x
1E8
0x
204
0x
208
0x
20C
0x
210
0x
214
0x
3CC
0x
3EC
0x
788
0x
624
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000ef97570000 | 0xef97570000 | 0xef9758ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97570000 | 0xef97570000 | 0xef9757ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97580000 | 0xef97580000 | 0xef97580fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97590000 | 0xef97590000 | 0xef9759efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ef975a0000 | 0xef975a0000 | 0xef9761ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef975a0000 | 0xef975a0000 | 0xef975a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef975a0000 | 0xef975a0000 | 0xef975a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef975a0000 | 0xef975a0000 | 0xef975dbfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| tzres.dll | 0xef975a0000 | 0xef975a1fff | Memory Mapped File | Readable |
|
|
|
|
| tzres.dll.mui | 0xef975b0000 | 0xef975b7fff | Memory Mapped File | Readable |
|
|
|
|
| 9cd83a8a-5892-4874-ac04-38bb2aecdaea | 0xef975e0000 | 0xef975e0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ef97620000 | 0xef97620000 | 0xef97623fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ef97630000 | 0xef97630000 | 0xef97630fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ef97640000 | 0xef97640000 | 0xef97641fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xef97650000 | 0xef976cdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000ef976d0000 | 0xef976d0000 | 0xef976d6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef976e0000 | 0xef976e0000 | 0xef976e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef976f0000 | 0xef976f0000 | 0xef976fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97700000 | 0xef97700000 | 0xef9770ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97710000 | 0xef97710000 | 0xef97712fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ef97720000 | 0xef97720000 | 0xef9781ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef97820000 | 0xef97820000 | 0xef9789ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef978a0000 | 0xef978a0000 | 0xef979bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef978a0000 | 0xef978a0000 | 0xef9791ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef97920000 | 0xef97920000 | 0xef9799ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef979a0000 | 0xef979a0000 | 0xef979a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef979b0000 | 0xef979b0000 | 0xef979bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef979c0000 | 0xef979c0000 | 0xef97ac0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef979c0000 | 0xef979c0000 | 0xef97a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97a40000 | 0xef97a40000 | 0xef97e39fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ef97e40000 | 0xef97e40000 | 0xef97e4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef97e50000 | 0xef97e50000 | 0xef97e50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97e50000 | 0xef97e50000 | 0xef97e50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef97e50000 | 0xef97e50000 | 0xef97f50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ef97e50000 | 0xef97e50000 | 0xef97e5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| c_28591.nls | 0xef97e50000 | 0xef97e60fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xef97e70000 | 0xef98144fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ef98150000 | 0xef98150000 | 0xef9815ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98150000 | 0xef98150000 | 0xef98150fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98160000 | 0xef98160000 | 0xef981dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef981e0000 | 0xef981e0000 | 0xef981e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef981f0000 | 0xef981f0000 | 0xef981f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98200000 | 0xef98200000 | 0xef98200fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98210000 | 0xef98210000 | 0xef98210fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98220000 | 0xef98220000 | 0xef98220fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98230000 | 0xef98230000 | 0xef98230fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98240000 | 0xef98240000 | 0xef98240fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98250000 | 0xef98250000 | 0xef98250fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98260000 | 0xef98260000 | 0xef982dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef982e0000 | 0xef982e0000 | 0xef9835ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef982e0000 | 0xef982e0000 | 0xef983dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef98360000 | 0xef98360000 | 0xef983dffff | Private Memory | Readable, Writable |
|
|
|
|
| b2178b99-f9f6-47ad-b0eb-4e709bc8dfda | 0xef98360000 | 0xef98360fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000ef98360000 | 0xef98360000 | 0xef98360fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef983e0000 | 0xef983e0000 | 0xef983e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ef983e0000 | 0xef983e0000 | 0xef9845ffff | Private Memory | Readable, Writable |
|
|
|
|
| 903be937-d4bc-44a8-9134-f1f5a2d9c2c0 | 0xef98460000 | 0xef98460fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00007ff74a3c8000 | 0x7ff74a3c8000 | 0x7ff74a3c9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a3ca000 | 0x7ff74a3ca000 | 0x7ff74a3cbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a3cc000 | 0x7ff74a3cc000 | 0x7ff74a3cdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a3ce000 | 0x7ff74a3ce000 | 0x7ff74a3cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff74a3d0000 | 0x7ff74a3d0000 | 0x7ff74a4cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff74a4d0000 | 0x7ff74a4d0000 | 0x7ff74a4f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff74a4f4000 | 0x7ff74a4f4000 | 0x7ff74a4f5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a4f6000 | 0x7ff74a4f6000 | 0x7ff74a4f7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a4f8000 | 0x7ff74a4f8000 | 0x7ff74a4f9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a4fa000 | 0x7ff74a4fa000 | 0x7ff74a4fbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a4fc000 | 0x7ff74a4fc000 | 0x7ff74a4fcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff74a4fe000 | 0x7ff74a4fe000 | 0x7ff74a4fffff | Private Memory | Readable, Writable |
|
|
|
|
| lsass.exe | 0x7ff74b110000 | 0x7ff74b11dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fvecerts.dll | 0x7ffd18960000 | 0x7ffd1896afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcd.dll | 0x7ffd18970000 | 0x7ffd18989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fveapi.dll | 0x7ffd18990000 | 0x7ffd18a42fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7ffd195e0000 | 0x7ffd19646fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| scecli.dll | 0x7ffd1c0b0000 | 0x7ffd1c0f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| credssp.dll | 0x7ffd1c100000 | 0x7ffd1c109fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpapisrv.dll | 0x7ffd1c110000 | 0x7ffd1c142fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| efslsaext.dll | 0x7ffd1c150000 | 0x7ffd1c161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| schannel.dll | 0x7ffd1c170000 | 0x7ffd1c1dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wdigest.dll | 0x7ffd1c1e0000 | 0x7ffd1c219fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| livessp.dll | 0x7ffd1c260000 | 0x7ffd1c2bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pku2u.dll | 0x7ffd1c2c0000 | 0x7ffd1c306fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tspkg.dll | 0x7ffd1c310000 | 0x7ffd1c32afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| logoncli.dll | 0x7ffd1c350000 | 0x7ffd1c38cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netlogon.dll | 0x7ffd1c440000 | 0x7ffd1c50efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msv1_0.dll | 0x7ffd1c510000 | 0x7ffd1c577fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kerberos.dll | 0x7ffd1c660000 | 0x7ffd1c74afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptdll.dll | 0x7ffd1c750000 | 0x7ffd1c767fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| negoexts.dll | 0x7ffd1c770000 | 0x7ffd1c795fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netjoin.dll | 0x7ffd1c7a0000 | 0x7ffd1c7effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msprivs.dll | 0x7ffd1c7f0000 | 0x7ffd1c7f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntasn1.dll | 0x7ffd1c800000 | 0x7ffd1c839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ncrypt.dll | 0x7ffd1c840000 | 0x7ffd1c863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samsrv.dll | 0x7ffd1c8a0000 | 0x7ffd1c96efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lsasrv.dll | 0x7ffd1c970000 | 0x7ffd1caccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspisrv.dll | 0x7ffd1cad0000 | 0x7ffd1cadafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x228 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
22C
0x
230
0x
234
0x
238
0x
240
0x
254
0x
258
0x
260
0x
264
0x
270
0x
274
0x
284
0x
2C8
0x
2EC
0x
2F0
0x
388
0x
1C8
0x
42C
0x
44C
0x
4E0
0x
4F0
0x
6E0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000006ab8ba0000 | 0x6ab8ba0000 | 0x6ab8bbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab8ba0000 | 0x6ab8ba0000 | 0x6ab8baffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab8bb0000 | 0x6ab8bb0000 | 0x6ab8bb6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab8bc0000 | 0x6ab8bc0000 | 0x6ab8bcefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ab8bd0000 | 0x6ab8bd0000 | 0x6ab8c4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab8c50000 | 0x6ab8c50000 | 0x6ab8c53fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ab8c60000 | 0x6ab8c60000 | 0x6ab8c60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ab8c70000 | 0x6ab8c70000 | 0x6ab8c71fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x6ab8c80000 | 0x6ab8cfdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ab8d00000 | 0x6ab8d00000 | 0x6ab8d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab8d80000 | 0x6ab8d80000 | 0x6ab8e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab8e80000 | 0x6ab8e80000 | 0x6ab8efffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x6ab8f00000 | 0x6ab91d4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ab91e0000 | 0x6ab91e0000 | 0x6ab935ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab91e0000 | 0x6ab91e0000 | 0x6ab91e6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab91f0000 | 0x6ab91f0000 | 0x6ab926ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab91f0000 | 0x6ab91f0000 | 0x6ab91f0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9270000 | 0x6ab9270000 | 0x6ab9270fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9280000 | 0x6ab9280000 | 0x6ab92fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9300000 | 0x6ab9300000 | 0x6ab9300fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9310000 | 0x6ab9310000 | 0x6ab9326fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9310000 | 0x6ab9310000 | 0x6ab9310fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ab9320000 | 0x6ab9320000 | 0x6ab9320fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9330000 | 0x6ab9330000 | 0x6ab9330fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9330000 | 0x6ab9330000 | 0x6ab9330fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ab9340000 | 0x6ab9340000 | 0x6ab9340fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ab9350000 | 0x6ab9350000 | 0x6ab935ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9360000 | 0x6ab9360000 | 0x6ab94affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9360000 | 0x6ab9360000 | 0x6ab93dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab93e0000 | 0x6ab93e0000 | 0x6ab945ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9460000 | 0x6ab9460000 | 0x6ab9462fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ab9470000 | 0x6ab9470000 | 0x6ab9470fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9480000 | 0x6ab9480000 | 0x6ab9480fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9490000 | 0x6ab9490000 | 0x6ab9490fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab94a0000 | 0x6ab94a0000 | 0x6ab94affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab94b0000 | 0x6ab94b0000 | 0x6ab952ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x6ab9530000 | 0x6ab96a6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ab9530000 | 0x6ab9530000 | 0x6ab962ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9630000 | 0x6ab9630000 | 0x6ab96effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9630000 | 0x6ab9630000 | 0x6ab96affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab96b0000 | 0x6ab96b0000 | 0x6ab96b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| thumbnailextractionhost.exe | 0x6ab96c0000 | 0x6ab96c7fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ab96c0000 | 0x6ab96c0000 | 0x6ab96c6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab96d0000 | 0x6ab96d0000 | 0x6ab96d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab96e0000 | 0x6ab96e0000 | 0x6ab96effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab96f0000 | 0x6ab96f0000 | 0x6ab976ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9770000 | 0x6ab9770000 | 0x6ab9b69fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ab9b70000 | 0x6ab9b70000 | 0x6ab9beffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9bf0000 | 0x6ab9bf0000 | 0x6ab9c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ab9c70000 | 0x6ab9c70000 | 0x6ab9ceffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ab9cf0000 | 0x6ab9cf0000 | 0x6ab9e77fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ab9e80000 | 0x6ab9e80000 | 0x6aba000fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006aba010000 | 0x6aba010000 | 0x6aba0cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006aba0d0000 | 0x6aba0d0000 | 0x6aba1cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba1d0000 | 0x6aba1d0000 | 0x6aba24ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba250000 | 0x6aba250000 | 0x6aba2cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba2d0000 | 0x6aba2d0000 | 0x6aba3cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba3d0000 | 0x6aba3d0000 | 0x6aba3d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba3e0000 | 0x6aba3e0000 | 0x6aba3e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba3f0000 | 0x6aba3f0000 | 0x6aba3f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba400000 | 0x6aba400000 | 0x6aba400fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba410000 | 0x6aba410000 | 0x6aba410fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba420000 | 0x6aba420000 | 0x6aba420fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba430000 | 0x6aba430000 | 0x6aba430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba440000 | 0x6aba440000 | 0x6aba440fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba450000 | 0x6aba450000 | 0x6aba450fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba460000 | 0x6aba460000 | 0x6aba460fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba470000 | 0x6aba470000 | 0x6aba470fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba480000 | 0x6aba480000 | 0x6aba480fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba490000 | 0x6aba490000 | 0x6aba490fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4a0000 | 0x6aba4a0000 | 0x6aba4a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4b0000 | 0x6aba4b0000 | 0x6aba4b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4c0000 | 0x6aba4c0000 | 0x6aba4c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4d0000 | 0x6aba4d0000 | 0x6aba4d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4e0000 | 0x6aba4e0000 | 0x6aba4e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba4f0000 | 0x6aba4f0000 | 0x6aba4f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba500000 | 0x6aba500000 | 0x6aba500fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba510000 | 0x6aba510000 | 0x6aba510fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba520000 | 0x6aba520000 | 0x6aba520fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba530000 | 0x6aba530000 | 0x6aba530fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba540000 | 0x6aba540000 | 0x6aba540fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba550000 | 0x6aba550000 | 0x6aba550fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba560000 | 0x6aba560000 | 0x6aba560fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006aba570000 | 0x6aba570000 | 0x6aba570fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178cc000 | 0x7ff6178cc000 | 0x7ff6178cdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178ce000 | 0x7ff6178ce000 | 0x7ff6178cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178d0000 | 0x7ff6178d0000 | 0x7ff6178d1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178d2000 | 0x7ff6178d2000 | 0x7ff6178d3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178d4000 | 0x7ff6178d4000 | 0x7ff6178d5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178d6000 | 0x7ff6178d6000 | 0x7ff6178d7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178d8000 | 0x7ff6178d8000 | 0x7ff6178d9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178da000 | 0x7ff6178da000 | 0x7ff6178dbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178dc000 | 0x7ff6178dc000 | 0x7ff6178ddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6178de000 | 0x7ff6178de000 | 0x7ff6178dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6178e0000 | 0x7ff6178e0000 | 0x7ff6179dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6179e0000 | 0x7ff6179e0000 | 0x7ff617a02fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617a04000 | 0x7ff617a04000 | 0x7ff617a05fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a06000 | 0x7ff617a06000 | 0x7ff617a07fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a08000 | 0x7ff617a08000 | 0x7ff617a09fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a0a000 | 0x7ff617a0a000 | 0x7ff617a0afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a0c000 | 0x7ff617a0c000 | 0x7ff617a0dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a0e000 | 0x7ff617a0e000 | 0x7ff617a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| actxprxy.dll | 0x7ffd167a0000 | 0x7ffd16a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinapi.dll | 0x7ffd17840000 | 0x7ffd178f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| appxalluserstore.dll | 0x7ffd17a20000 | 0x7ffd17a4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dab.dll | 0x7ffd19f20000 | 0x7ffd19f3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bi.dll | 0x7ffd19f40000 | 0x7ffd19f4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| systemeventsbrokerserver.dll | 0x7ffd1b900000 | 0x7ffd1b947fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wmsgapi.dll | 0x7ffd1bb80000 | 0x7ffd1bb88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sysntfy.dll | 0x7ffd1bb90000 | 0x7ffd1bb9afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psmsrv.dll | 0x7ffd1bba0000 | 0x7ffd1bbc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lsm.dll | 0x7ffd1bc90000 | 0x7ffd1bd45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bisrv.dll | 0x7ffd1bd50000 | 0x7ffd1bd93fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcss.dll | 0x7ffd1bde0000 | 0x7ffd1be9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| hid.dll | 0x7ffd1bed0000 | 0x7ffd1bedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pcwum.dll | 0x7ffd1bee0000 | 0x7ffd1beedfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| umpoext.dll | 0x7ffd1bef0000 | 0x7ffd1befefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| umpo.dll | 0x7ffd1bf00000 | 0x7ffd1bf15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| umpnpmgr.dll | 0x7ffd1bf20000 | 0x7ffd1bf42fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 7 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x244 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
248
0x
24C
0x
250
0x
25C
0x
268
0x
278
0x
27C
0x
2E8
0x
2F8
0x
130
0x
620
0x
674
0x
698
0x
6B8
0x
6BC
0x
6C4
0x
780
0x
7D4
0x
7E8
0x
888
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000005018820000 | 0x5018820000 | 0x501883ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005018820000 | 0x5018820000 | 0x501882ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005018830000 | 0x5018830000 | 0x5018836fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005018840000 | 0x5018840000 | 0x501884efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005018850000 | 0x5018850000 | 0x50188cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000050188d0000 | 0x50188d0000 | 0x50188d3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000050188e0000 | 0x50188e0000 | 0x50188e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000050188f0000 | 0x50188f0000 | 0x50188f1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x5018900000 | 0x501897dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005018980000 | 0x5018980000 | 0x5018980fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005018980000 | 0x5018980000 | 0x50189bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005018980000 | 0x5018980000 | 0x5018986fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005018990000 | 0x5018990000 | 0x5018992fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000050189a0000 | 0x50189a0000 | 0x50189a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000050189b0000 | 0x50189b0000 | 0x50189bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000050189c0000 | 0x50189c0000 | 0x50189c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000050189d0000 | 0x50189d0000 | 0x5018acffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005018ad0000 | 0x5018ad0000 | 0x5018b4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005018b50000 | 0x5018b50000 | 0x5018bcffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x5018bd0000 | 0x5018ea4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005018eb0000 | 0x5018eb0000 | 0x5018f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005018f30000 | 0x5018f30000 | 0x5019329fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005019330000 | 0x5019330000 | 0x50193affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050193b0000 | 0x50193b0000 | 0x501942ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005019430000 | 0x5019430000 | 0x50194affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050194b0000 | 0x50194b0000 | 0x501952ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005019530000 | 0x5019530000 | 0x5019530fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005019540000 | 0x5019540000 | 0x50195bffff | Private Memory | Readable, Writable |
|
|
|
|
| explorer.exe | 0x50195c0000 | 0x50197f8fff | Memory Mapped File | Readable |
|
|
|
|
| rundll32.exe | 0x50195c0000 | 0x50195ccfff | Memory Mapped File | Readable |
|
|
|
|
| rundll32.exe | 0x50195c0000 | 0x50195ccfff | Memory Mapped File | Readable |
|
|
|
|
| thumbnailextractionhost.exe | 0x50195c0000 | 0x50195c7fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000050195c0000 | 0x50195c0000 | 0x501963ffff | Private Memory | Readable, Writable |
|
|
|
|
| thumbnailextractionhost.exe | 0x5019640000 | 0x5019647fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005019640000 | 0x5019640000 | 0x50196bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050196c0000 | 0x50196c0000 | 0x50197bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050197c0000 | 0x50197c0000 | 0x501983ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005019840000 | 0x5019840000 | 0x50198bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050198c0000 | 0x50198c0000 | 0x501993ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005019940000 | 0x5019940000 | 0x50199bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000050199c0000 | 0x50199c0000 | 0x5019a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005019a40000 | 0x5019a40000 | 0x5019abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005019ac0000 | 0x5019ac0000 | 0x5019b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| mobsync.exe | 0x5019b40000 | 0x5019b54fff | Memory Mapped File | Readable |
|
|
|
|
| mobsync.exe | 0x5019b40000 | 0x5019b54fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00007ff617e36000 | 0x7ff617e36000 | 0x7ff617e37fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e38000 | 0x7ff617e38000 | 0x7ff617e39fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e3a000 | 0x7ff617e3a000 | 0x7ff617e3bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e3c000 | 0x7ff617e3c000 | 0x7ff617e3dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e3e000 | 0x7ff617e3e000 | 0x7ff617e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e40000 | 0x7ff617e40000 | 0x7ff617e41fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e42000 | 0x7ff617e42000 | 0x7ff617e43fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e44000 | 0x7ff617e44000 | 0x7ff617e45fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e46000 | 0x7ff617e46000 | 0x7ff617e47fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e48000 | 0x7ff617e48000 | 0x7ff617e49fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e4a000 | 0x7ff617e4a000 | 0x7ff617e4bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e4c000 | 0x7ff617e4c000 | 0x7ff617e4dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617e4e000 | 0x7ff617e4e000 | 0x7ff617e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617e50000 | 0x7ff617e50000 | 0x7ff617f4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617f50000 | 0x7ff617f50000 | 0x7ff617f72fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617f74000 | 0x7ff617f74000 | 0x7ff617f74fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617f76000 | 0x7ff617f76000 | 0x7ff617f77fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617f78000 | 0x7ff617f78000 | 0x7ff617f79fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617f7a000 | 0x7ff617f7a000 | 0x7ff617f7bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617f7c000 | 0x7ff617f7c000 | 0x7ff617f7dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617f7e000 | 0x7ff617f7e000 | 0x7ff617f7ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x7ffd18220000 | 0x7ffd18286fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| firewallapi.dll | 0x7ffd1bbd0000 | 0x7ffd1bc85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x7ffd1bda0000 | 0x7ffd1bdb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcepmap.dll | 0x7ffd1bdc0000 | 0x7ffd1bdd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcss.dll | 0x7ffd1bde0000 | 0x7ffd1be9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:12, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:03 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x294 |
| Parent PID | 0x1a8 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
298
0x
2CC
0x
2D0
0x
2D4
0x
2D8
0x
2E0
0x
2DC
0x
2E4
0x
2FC
0x
3C0
0x
890
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000008132960000 | 0x8132960000 | 0x813297ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132960000 | 0x8132960000 | 0x813296ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132970000 | 0x8132970000 | 0x8132976fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132980000 | 0x8132980000 | 0x813298efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008132990000 | 0x8132990000 | 0x8132a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132a10000 | 0x8132a10000 | 0x8132a13fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132a20000 | 0x8132a20000 | 0x8132a22fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008132a30000 | 0x8132a30000 | 0x8132a31fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x8132a40000 | 0x8132abdfff | Memory Mapped File | Readable |
|
|
|
|
| sysmain.sdb | 0x8132ac0000 | 0x8132b23fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008132ac0000 | 0x8132ac0000 | 0x8132b8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132ac0000 | 0x8132ac0000 | 0x8132ac6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132ad0000 | 0x8132ad0000 | 0x8132ad2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132ae0000 | 0x8132ae0000 | 0x8132ae0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132af0000 | 0x8132af0000 | 0x8132af0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132b00000 | 0x8132b00000 | 0x8132b00fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132b10000 | 0x8132b10000 | 0x8132b10fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132b20000 | 0x8132b20000 | 0x8132b20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132b20000 | 0x8132b20000 | 0x8132b23fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008132b30000 | 0x8132b30000 | 0x8132b36fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132b40000 | 0x8132b40000 | 0x8132b40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132b50000 | 0x8132b50000 | 0x8132b50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008132b60000 | 0x8132b60000 | 0x8132b60fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132b70000 | 0x8132b70000 | 0x8132b70fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132b80000 | 0x8132b80000 | 0x8132b8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008132b90000 | 0x8132b90000 | 0x8132b90fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132ba0000 | 0x8132ba0000 | 0x8132ba0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132bb0000 | 0x8132bb0000 | 0x8132bb0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132bc0000 | 0x8132bc0000 | 0x8132bc0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008132bd0000 | 0x8132bd0000 | 0x8132ccffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008132cd0000 | 0x8132cd0000 | 0x8132e57fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132e60000 | 0x8132e60000 | 0x8132fe0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008132ff0000 | 0x8132ff0000 | 0x81343effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000081343f0000 | 0x81343f0000 | 0x81347e9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000081347f0000 | 0x81347f0000 | 0x81348dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081347f0000 | 0x81347f0000 | 0x813486ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008134870000 | 0x8134870000 | 0x8134870fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008134880000 | 0x8134880000 | 0x8134880fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008134890000 | 0x8134890000 | 0x8134890fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000081348a0000 | 0x81348a0000 | 0x81348b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000081348c0000 | 0x81348c0000 | 0x81348c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000081348d0000 | 0x81348d0000 | 0x81348dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000081348e0000 | 0x81348e0000 | 0x81349cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000081349d0000 | 0x81349d0000 | 0x8134a4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008134a50000 | 0x8134a50000 | 0x8134acffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x8134ad0000 | 0x8134da4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008134db0000 | 0x8134db0000 | 0x8134e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008134e30000 | 0x8134e30000 | 0x8134eaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008134eb0000 | 0x8134eb0000 | 0x8134f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| aero.msstyles | 0x8134f30000 | 0x813501efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008135020000 | 0x8135020000 | 0x813509ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x81350a0000 | 0x8135159fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000081350a0000 | 0x81350a0000 | 0x81350cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000081350d0000 | 0x81350d0000 | 0x81351cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081351d0000 | 0x81351d0000 | 0x81353cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081353d0000 | 0x81353d0000 | 0x81354cffff | Private Memory | Readable, Writable |
|
|
|
|
| d2d1.dll.mui | 0x81354d0000 | 0x8135502fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008135510000 | 0x8135510000 | 0x8135639fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008135640000 | 0x8135640000 | 0x813566ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008135640000 | 0x8135640000 | 0x813564ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008135650000 | 0x8135650000 | 0x813565ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008135660000 | 0x8135660000 | 0x813566ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008135670000 | 0x8135670000 | 0x813567ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008135670000 | 0x8135670000 | 0x8135b61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008135680000 | 0x8135680000 | 0x813568ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008135b70000 | 0x8135b70000 | 0x8136061fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136070000 | 0x8136070000 | 0x8136561fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136070000 | 0x8136070000 | 0x8136070fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008136080000 | 0x8136080000 | 0x8136080fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008136090000 | 0x8136090000 | 0x8136090fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008136090000 | 0x8136090000 | 0x8136093fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000081360a0000 | 0x81360a0000 | 0x81360a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000081360a0000 | 0x81360a0000 | 0x81360a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081360b0000 | 0x81360b0000 | 0x81360b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081360c0000 | 0x81360c0000 | 0x81360c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000081360d0000 | 0x81360d0000 | 0x813614ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136150000 | 0x8136150000 | 0x813654ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136550000 | 0x8136550000 | 0x8136553fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136560000 | 0x8136560000 | 0x813656ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136560000 | 0x8136560000 | 0x8136560fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008136570000 | 0x8136570000 | 0x8136a61fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136a70000 | 0x8136a70000 | 0x8136f61fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136a70000 | 0x8136a70000 | 0x8136a77fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136a80000 | 0x8136a80000 | 0x8136a81fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136a90000 | 0x8136a90000 | 0x8136a91fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136aa0000 | 0x8136aa0000 | 0x8136adffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136ae0000 | 0x8136ae0000 | 0x8136aeffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136ae0000 | 0x8136ae0000 | 0x8136ae1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136af0000 | 0x8136af0000 | 0x8136afffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136af0000 | 0x8136af0000 | 0x8136af1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136b00000 | 0x8136b00000 | 0x8136b01fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136b10000 | 0x8136b10000 | 0x8136b13fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136b20000 | 0x8136b20000 | 0x8136b9afff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136ba0000 | 0x8136ba0000 | 0x8136bcafff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136bd0000 | 0x8136bd0000 | 0x8136be6fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136bf0000 | 0x8136bf0000 | 0x8136c06fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136c10000 | 0x8136c10000 | 0x8136c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136c10000 | 0x8136c10000 | 0x8136c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136c20000 | 0x8136c20000 | 0x8136c2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136c90000 | 0x8136c90000 | 0x8136c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008136c90000 | 0x8136c90000 | 0x8136cbafff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136ca0000 | 0x8136ca0000 | 0x8136caffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136cb0000 | 0x8136cb0000 | 0x8136cbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136cc0000 | 0x8136cc0000 | 0x8136ccffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008136cd0000 | 0x8136cd0000 | 0x8136cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7dd0000 | 0x7ff7f7dd0000 | 0x7ff7f7ddffff | Private Memory |
|
|
|
|
|
| private_0x00007ff7f7de8000 | 0x7ff7f7de8000 | 0x7ff7f7de9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7dea000 | 0x7ff7f7dea000 | 0x7ff7f7debfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7dec000 | 0x7ff7f7dec000 | 0x7ff7f7dedfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7dee000 | 0x7ff7f7dee000 | 0x7ff7f7deffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7f7df0000 | 0x7ff7f7df0000 | 0x7ff7f7eeffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7f7ef0000 | 0x7ff7f7ef0000 | 0x7ff7f7f12fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7f7f14000 | 0x7ff7f7f14000 | 0x7ff7f7f15fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7f16000 | 0x7ff7f7f16000 | 0x7ff7f7f17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7f18000 | 0x7ff7f7f18000 | 0x7ff7f7f18fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7f1a000 | 0x7ff7f7f1a000 | 0x7ff7f7f1bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7f1c000 | 0x7ff7f7f1c000 | 0x7ff7f7f1dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f7f1e000 | 0x7ff7f7f1e000 | 0x7ff7f7f1ffff | Private Memory | Readable, Writable |
|
|
|
|
| dwm.exe | 0x7ff7f8670000 | 0x7ff7f868ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x7ffd19830000 | 0x7ffd19c95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| udwm.dll | 0x7ffd19ca0000 | 0x7ffd19d64fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x7ffd19d80000 | 0x7ffd19f12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dcomp.dll | 0x7ffd1a340000 | 0x7ffd1a399fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x7ffd1a420000 | 0x7ffd1a66cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x7ffd1a670000 | 0x7ffd1a6eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x7ffd1a6f0000 | 0x7ffd1a8f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uianimation.dll | 0x7ffd1a900000 | 0x7ffd1a94bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmcore.dll | 0x7ffd1b6c0000 | 0x7ffd1b8cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmredir.dll | 0x7ffd1b8d0000 | 0x7ffd1b8fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 46 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\logonui.exe |
| Command Line | "LogonUI.exe" /flags:0x0 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:12, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:03 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x29c |
| Parent PID | 0x1a8 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2A0
0x
2AC
0x
2B0
0x
2B4
0x
2B8
0x
2BC
0x
2C0
0x
2C4
0x
3A0
0x
3A4
0x
3B4
0x
3BC
0x
3C8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000f107140000 | 0xf107140000 | 0xf10715ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107140000 | 0xf107140000 | 0xf10714ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000f107150000 | 0xf107150000 | 0xf10715ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107160000 | 0xf107160000 | 0xf10716efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f107170000 | 0xf107170000 | 0xf1071effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f1071f0000 | 0xf1071f0000 | 0xf1071f3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107200000 | 0xf107200000 | 0xf107202fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f107210000 | 0xf107210000 | 0xf107211fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xf107220000 | 0xf10729dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f1072a0000 | 0xf1072a0000 | 0xf1072a6fff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xf1072b0000 | 0xf107369fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f1072b0000 | 0xf1072b0000 | 0xf1072b6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xf1072c0000 | 0xf1072f3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000f1072c0000 | 0xf1072c0000 | 0xf1072effff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f1072f0000 | 0xf1072f0000 | 0xf1072f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f107300000 | 0xf107300000 | 0xf107300fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f107310000 | 0xf107310000 | 0xf10739ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107310000 | 0xf107310000 | 0xf107310fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107310000 | 0xf107310000 | 0xf107313fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f107320000 | 0xf107320000 | 0xf107326fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107330000 | 0xf107330000 | 0xf107330fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107340000 | 0xf107340000 | 0xf107340fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107350000 | 0xf107350000 | 0xf107352fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107360000 | 0xf107360000 | 0xf107361fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0xf107370000 | 0xf107370fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000f107370000 | 0xf107370000 | 0xf107372fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107380000 | 0xf107380000 | 0xf107381fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f107390000 | 0xf107390000 | 0xf10739ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f1073a0000 | 0xf1073a0000 | 0xf1073a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f1073b0000 | 0xf1073b0000 | 0xf1073b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f1073c0000 | 0xf1073c0000 | 0xf1073c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| dui70.dll.mui | 0xf1073d0000 | 0xf1073d1fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000f1073e0000 | 0xf1073e0000 | 0xf1073e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| oleaccrc.dll | 0xf1073f0000 | 0xf1073f0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f107400000 | 0xf107400000 | 0xf1074fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107500000 | 0xf107500000 | 0xf107687fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107690000 | 0xf107690000 | 0xf107810fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f107820000 | 0xf107820000 | 0xf10790ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f107910000 | 0xf107910000 | 0xf10798ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f107990000 | 0xf107990000 | 0xf107d89fff | Pagefile Backed Memory | Readable |
|
|
|
|
| oleaut32.dll | 0xf107d90000 | 0xf107e45fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f107d90000 | 0xf107d90000 | 0xf107e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f107e10000 | 0xf107e10000 | 0xf107e8ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xf107e90000 | 0xf108164fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f108170000 | 0xf108170000 | 0xf10826ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108270000 | 0xf108270000 | 0xf10836ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108370000 | 0xf108370000 | 0xf108370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108380000 | 0xf108380000 | 0xf108380fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108390000 | 0xf108390000 | 0xf108390fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f1083a0000 | 0xf1083a0000 | 0xf1083a1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f1083b0000 | 0xf1083b0000 | 0xf10842ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108430000 | 0xf108430000 | 0xf108430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108440000 | 0xf108440000 | 0xf108440fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f108450000 | 0xf108450000 | 0xf108450fff | Private Memory | Readable, Writable |
|
|
|
|
| basebrd.dll | 0xf108460000 | 0xf108554fff | Memory Mapped File | Readable |
|
|
|
|
| basebrd.dll | 0xf108460000 | 0xf108554fff | Memory Mapped File | Readable |
|
|
|
|
| imageres.dll | 0xf108460000 | 0xf10b2f5fff | Memory Mapped File | Readable |
|
|
|
|
| basebrd.dll.mui | 0xf108560000 | 0xf108560fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f108570000 | 0xf108570000 | 0xf108581fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f10b300000 | 0xf10b300000 | 0xf10b37ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f10b380000 | 0xf10b380000 | 0xf10b3fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f10b400000 | 0xf10b400000 | 0xf10b4fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f10b500000 | 0xf10b500000 | 0xf10b57ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f10b580000 | 0xf10b580000 | 0xf10b5fffff | Private Memory | Readable, Writable |
|
|
|
|
| ~fontcache-system.dat | 0xf10b600000 | 0xf10b6a4fff | Memory Mapped File | Readable |
|
|
|
|
| ~fontcache-fontface.dat | 0xf10b6b0000 | 0xf10c6affff | Memory Mapped File | Readable |
|
|
|
|
| ~fontcache-s-1-5-18.dat | 0xf10c6b0000 | 0xf10ceaffff | Memory Mapped File | Readable |
|
|
|
|
| seguisym.ttf | 0xf10ceb0000 | 0xf10d062fff | Memory Mapped File | Readable |
|
|
|
|
| seguisb.ttf | 0xf10d070000 | 0xf10d143fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f10d150000 | 0xf10d150000 | 0xf10d1cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646e8a000 | 0x7ff646e8a000 | 0x7ff646e8bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646e8c000 | 0x7ff646e8c000 | 0x7ff646e8dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646e8e000 | 0x7ff646e8e000 | 0x7ff646e8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff646e90000 | 0x7ff646e90000 | 0x7ff646f8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff646f90000 | 0x7ff646f90000 | 0x7ff646fb2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff646fb3000 | 0x7ff646fb3000 | 0x7ff646fb4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fb5000 | 0x7ff646fb5000 | 0x7ff646fb6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fb7000 | 0x7ff646fb7000 | 0x7ff646fb7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fb8000 | 0x7ff646fb8000 | 0x7ff646fb9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fba000 | 0x7ff646fba000 | 0x7ff646fbbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fbc000 | 0x7ff646fbc000 | 0x7ff646fbdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff646fbe000 | 0x7ff646fbe000 | 0x7ff646fbffff | Private Memory | Readable, Writable |
|
|
|
|
| logonui.exe | 0x7ff6475c0000 | 0x7ff6475c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| inputswitch.dll | 0x7ffd18e80000 | 0x7ffd18ebbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x7ffd18ec0000 | 0x7ffd18eddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shacct.dll | 0x7ffd18ee0000 | 0x7ffd18f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| networkstatus.dll | 0x7ffd19f50000 | 0x7ffd19f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| authext.dll | 0x7ffd1a100000 | 0x7ffd1a10cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasman.dll | 0x7ffd1a110000 | 0x7ffd1a13dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtutils.dll | 0x7ffd1a140000 | 0x7ffd1a151fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasapi32.dll | 0x7ffd1a160000 | 0x7ffd1a20cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasplap.dll | 0x7ffd1a210000 | 0x7ffd1a27bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wlidcredprov.dll | 0x7ffd1a280000 | 0x7ffd1a2cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x7ffd1a2d0000 | 0x7ffd1a2dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| certcredprovider.dll | 0x7ffd1a2e0000 | 0x7ffd1a336fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dcomp.dll | 0x7ffd1a340000 | 0x7ffd1a399fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbio.dll | 0x7ffd1a3a0000 | 0x7ffd1a3bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| biocredprov.dll | 0x7ffd1a3c0000 | 0x7ffd1a413fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x7ffd1a420000 | 0x7ffd1a66cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x7ffd1a670000 | 0x7ffd1a6eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x7ffd1a6f0000 | 0x7ffd1a8f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uianimation.dll | 0x7ffd1a900000 | 0x7ffd1a94bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cngcredui.dll | 0x7ffd1a950000 | 0x7ffd1a96cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleacc.dll | 0x7ffd1a970000 | 0x7ffd1a9d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| smartcardcredentialprovider.dll | 0x7ffd1a9e0000 | 0x7ffd1ab30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x7ffd1ab40000 | 0x7ffd1ad1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcp47langs.dll | 0x7ffd1ad20000 | 0x7ffd1ad7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sppc.dll | 0x7ffd1ad80000 | 0x7ffd1ada1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| slc.dll | 0x7ffd1adb0000 | 0x7ffd1addafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sndvolsso.dll | 0x7ffd1ae50000 | 0x7ffd1ae8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| duser.dll | 0x7ffd1ae90000 | 0x7ffd1af30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dui70.dll | 0x7ffd1b1d0000 | 0x7ffd1b37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| authui.dll | 0x7ffd1b430000 | 0x7ffd1b6b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| hid.dll | 0x7ffd1bed0000 | 0x7ffd1bedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 79 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x304 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
308
0x
310
0x
314
0x
318
0x
328
0x
32C
0x
330
0x
33C
0x
340
0x
3C4
0x
3D0
0x
3D4
0x
3D8
0x
3E4
0x
3F4
0x
3FC
0x
DC
0x
114
0x
104
0x
148
0x
154
0x
144
0x
134
0x
1C8
0x
2D0
0x
4CC
0x
7AC
0x
7C0
0x
7C4
0x
85C
0x
860
0x
878
0x
8D0
0x
B50
0x
B54
0x
B58
0x
B60
0x
604
0x
898
0x
834
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| ntfs.sys | 0x0fdf0000 | 0x0ffe5fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000788fdf0000 | 0x788fdf0000 | 0x788fe0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000788fdf0000 | 0x788fdf0000 | 0x788fdfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000788fe00000 | 0x788fe00000 | 0x788fe06fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000788fe10000 | 0x788fe10000 | 0x788fe1efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000788fe20000 | 0x788fe20000 | 0x788fe9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000788fea0000 | 0x788fea0000 | 0x788fea3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000788feb0000 | 0x788feb0000 | 0x788feb0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000788fec0000 | 0x788fec0000 | 0x788fec1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x788fed0000 | 0x788ff4dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000788ff50000 | 0x788ff50000 | 0x788ff56fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000788ff60000 | 0x788ff60000 | 0x789005ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890060000 | 0x7890060000 | 0x78901affff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x7890060000 | 0x7890119fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007890060000 | 0x7890060000 | 0x789011ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007890120000 | 0x7890120000 | 0x7890122fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007890130000 | 0x7890130000 | 0x7890130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890140000 | 0x7890140000 | 0x7890140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890150000 | 0x7890150000 | 0x7890150fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890160000 | 0x7890160000 | 0x7890166fff | Private Memory | Readable, Writable |
|
|
|
|
| tzres.dll | 0x7890170000 | 0x7890171fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007890170000 | 0x7890170000 | 0x7890170fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890170000 | 0x7890170000 | 0x789018ffff | Private Memory | Readable, Writable |
|
|
|
|
| tzres.dll.mui | 0x7890180000 | 0x7890187fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007890190000 | 0x7890190000 | 0x7890190fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007890190000 | 0x7890190000 | 0x7890190fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000078901a0000 | 0x78901a0000 | 0x78901affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000078901b0000 | 0x78901b0000 | 0x7890337fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007890340000 | 0x7890340000 | 0x78904c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000078904d0000 | 0x78904d0000 | 0x78908c9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000078908d0000 | 0x78908d0000 | 0x789094ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890950000 | 0x7890950000 | 0x78909cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890950000 | 0x7890950000 | 0x789096ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890970000 | 0x7890970000 | 0x789098ffff | Private Memory | Readable, Writable |
|
|
|
|
| microsoft-windows-system-events.dll | 0x7890990000 | 0x78909cbfff | Memory Mapped File | Readable |
|
|
|
|
| pshed.dll | 0x7890990000 | 0x78909a4fff | Memory Mapped File | Readable |
|
|
|
|
| microsoft-windows-kernel-processor-power-events.dll | 0x7890990000 | 0x78909a0fff | Memory Mapped File | Readable |
|
|
|
|
| profsvc.dll | 0x7890990000 | 0x78909cafff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007890990000 | 0x7890990000 | 0x7890990fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000078909a0000 | 0x78909a0000 | 0x78909a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000078909b0000 | 0x78909b0000 | 0x78909b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000078909c0000 | 0x78909c0000 | 0x78909c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x78909d0000 | 0x7890ca4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007890cb0000 | 0x7890cb0000 | 0x7890d97fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890cb0000 | 0x7890cb0000 | 0x7890d2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890d30000 | 0x7890d30000 | 0x7890d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| microsoft-windows-kernel-power-events.dll | 0x7890d50000 | 0x7890d6ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007890d50000 | 0x7890d50000 | 0x7890d50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890d90000 | 0x7890d90000 | 0x7890d97fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890da0000 | 0x7890da0000 | 0x7890e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| wevtapi.dll | 0x7890ea0000 | 0x7890f06fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007890f10000 | 0x7890f10000 | 0x7890f8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007890f90000 | 0x7890f90000 | 0x789100ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891010000 | 0x7891010000 | 0x789108ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891090000 | 0x7891090000 | 0x789110ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891110000 | 0x7891110000 | 0x789118ffff | Private Memory | Readable, Writable |
|
|
|
|
| wcmsvc.dll | 0x7891190000 | 0x78911edfff | Memory Mapped File | Readable |
|
|
|
|
| adtschema.dll | 0x7891190000 | 0x7891243fff | Memory Mapped File | Readable |
|
|
|
|
| lsm.dll | 0x7891190000 | 0x7891245fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007891190000 | 0x7891190000 | 0x789120ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891250000 | 0x7891250000 | 0x789134ffff | Private Memory | Readable, Writable |
|
|
|
|
| comres.dll | 0x7891350000 | 0x789148dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007891350000 | 0x7891350000 | 0x78913cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000078913d0000 | 0x78913d0000 | 0x789144ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891490000 | 0x7891490000 | 0x789168ffff | Private Memory | Readable, Writable |
|
|
|
|
| gpsvc.dll | 0x7891690000 | 0x78917d6fff | Memory Mapped File | Readable |
|
|
|
|
| ole32.dll | 0x7891690000 | 0x7891806fff | Memory Mapped File | Readable |
|
|
|
|
| winlogon.exe | 0x7891690000 | 0x789171ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007891720000 | 0x7891720000 | 0x789179ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000078917a0000 | 0x78917a0000 | 0x789181ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891820000 | 0x7891820000 | 0x789189ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000078918a0000 | 0x78918a0000 | 0x789191ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891920000 | 0x7891920000 | 0x789199ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000078919a0000 | 0x78919a0000 | 0x7891a1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891a20000 | 0x7891a20000 | 0x7891a9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891aa0000 | 0x7891aa0000 | 0x7891b1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007891b20000 | 0x7891b20000 | 0x7891b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d64000 | 0x7ff617d64000 | 0x7ff617d65fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d66000 | 0x7ff617d66000 | 0x7ff617d67fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d68000 | 0x7ff617d68000 | 0x7ff617d69fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d6a000 | 0x7ff617d6a000 | 0x7ff617d6bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d6c000 | 0x7ff617d6c000 | 0x7ff617d6dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d6e000 | 0x7ff617d6e000 | 0x7ff617d6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d70000 | 0x7ff617d70000 | 0x7ff617d71fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d72000 | 0x7ff617d72000 | 0x7ff617d73fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d74000 | 0x7ff617d74000 | 0x7ff617d75fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d76000 | 0x7ff617d76000 | 0x7ff617d77fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d78000 | 0x7ff617d78000 | 0x7ff617d79fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d7a000 | 0x7ff617d7a000 | 0x7ff617d7bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d7c000 | 0x7ff617d7c000 | 0x7ff617d7dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d7e000 | 0x7ff617d7e000 | 0x7ff617d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617d80000 | 0x7ff617d80000 | 0x7ff617e7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617e80000 | 0x7ff617e80000 | 0x7ff617ea2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617ea3000 | 0x7ff617ea3000 | 0x7ff617ea4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617ea5000 | 0x7ff617ea5000 | 0x7ff617ea6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617ea7000 | 0x7ff617ea7000 | 0x7ff617ea8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617ea9000 | 0x7ff617ea9000 | 0x7ff617eaafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617eab000 | 0x7ff617eab000 | 0x7ff617eacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617ead000 | 0x7ff617ead000 | 0x7ff617eadfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617eae000 | 0x7ff617eae000 | 0x7ff617eaffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x7ffd18180000 | 0x7ffd18198fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc6.dll | 0x7ffd181a0000 | 0x7ffd181b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcore6.dll | 0x7ffd181d0000 | 0x7ffd18216fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wmiclnt.dll | 0x7ffd18350000 | 0x7ffd1835dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wcmcsp.dll | 0x7ffd18360000 | 0x7ffd1837dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcore.dll | 0x7ffd183d0000 | 0x7ffd1842afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wcmsvc.dll | 0x7ffd18430000 | 0x7ffd1848dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nrpsrv.dll | 0x7ffd18490000 | 0x7ffd18498fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lmhsvc.dll | 0x7ffd184b0000 | 0x7ffd184b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audiosrv.dll | 0x7ffd18c30000 | 0x7ffd18d02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x7ffd19590000 | 0x7ffd195a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtsvc.dll | 0x7ffd19650000 | 0x7ffd197eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| firewallapi.dll | 0x7ffd1bbd0000 | 0x7ffd1bc85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| hid.dll | 0x7ffd1bed0000 | 0x7ffd1bedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kerberos.dll | 0x7ffd1c660000 | 0x7ffd1c74afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptdll.dll | 0x7ffd1c750000 | 0x7ffd1c767fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 68 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x320 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
324
0x
334
0x
338
0x
344
0x
348
0x
368
0x
370
0x
374
0x
380
0x
394
0x
3A8
0x
3F0
0x
110
0x
20C
0x
240
0x
270
0x
274
0x
290
0x
284
0x
35C
0x
370
0x
3EC
0x
210
0x
408
0x
428
0x
448
0x
4C8
0x
414
0x
40C
0x
728
0x
734
0x
73C
0x
740
0x
74C
0x
750
0x
754
0x
774
0x
778
0x
77C
0x
784
0x
7B0
0x
7BC
0x
7C8
0x
7DC
0x
7FC
0x
498
0x
10C
0x
17C
0x
11C
0x
190
0x
118
0x
5CC
0x
3BC
0x
2BC
0x
2B4
0x
3C8
0x
2C0
0x
2A0
0x
29C
0x
6A4
0x
6FC
0x
6EC
0x
154
0x
7E4
0x
564
0x
7FC
0x
7F8
0x
4A4
0x
81C
0x
824
0x
838
0x
848
0x
84C
0x
850
0x
854
0x
858
0x
8A0
0x
8A4
0x
8A8
0x
9D4
0x
B88
0x
B8C
0x
B90
0x
B94
0x
B98
0x
B9C
0x
BA0
0x
BA4
0x
BA8
0x
BAC
0x
638
0x
63C
0x
628
0x
600
0x
844
0x
868
0x
404
0x
864
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000000100000000 | 0x100000000 | 0x10001ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000100000000 | 0x100000000 | 0x10000ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100010000 | 0x100010000 | 0x100016fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000100020000 | 0x100020000 | 0x10002efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000100030000 | 0x100030000 | 0x1000affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000001000b0000 | 0x1000b0000 | 0x1000b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000001000c0000 | 0x1000c0000 | 0x1000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000001000d0000 | 0x1000d0000 | 0x1000d1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000001000e0000 | 0x1000e0000 | 0x1000e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000001000f0000 | 0x1000f0000 | 0x1000f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000100100000 | 0x100100000 | 0x100100fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100110000 | 0x100110000 | 0x100110fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100120000 | 0x100120000 | 0x100120fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000100130000 | 0x100130000 | 0x100130fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000100140000 | 0x100140000 | 0x10023ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x100240000 | 0x1002bdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000001002c0000 | 0x1002c0000 | 0x1003bffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x1002c0000 | 0x100379fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000001002c0000 | 0x1002c0000 | 0x10037ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000100380000 | 0x100380000 | 0x100380fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000100390000 | 0x100390000 | 0x100390fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000001003a0000 | 0x1003a0000 | 0x1003a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000001003a0000 | 0x1003a0000 | 0x1003a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000001003b0000 | 0x1003b0000 | 0x1003bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000001003c0000 | 0x1003c0000 | 0x100547fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000100550000 | 0x100550000 | 0x1006d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000001006e0000 | 0x1006e0000 | 0x100ad9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000100ae0000 | 0x100ae0000 | 0x100b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100b60000 | 0x100b60000 | 0x100bdffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x100be0000 | 0x100eb4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000100ec0000 | 0x100ec0000 | 0x100f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100f40000 | 0x100f40000 | 0x100fbffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x100fc0000 | 0x101136fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000100fc0000 | 0x100fc0000 | 0x10108ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000100fc0000 | 0x100fc0000 | 0x10103ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000101040000 | 0x101040000 | 0x101042fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000101050000 | 0x101050000 | 0x101050fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101050000 | 0x101050000 | 0x101056fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101080000 | 0x101080000 | 0x10108ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101090000 | 0x101090000 | 0x10110ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101110000 | 0x101110000 | 0x10118ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101190000 | 0x101190000 | 0x10120ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101210000 | 0x101210000 | 0x10128ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101290000 | 0x101290000 | 0x10130ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101310000 | 0x101310000 | 0x10138ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101390000 | 0x101390000 | 0x10140ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101410000 | 0x101410000 | 0x10155ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101410000 | 0x101410000 | 0x10148ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101490000 | 0x101490000 | 0x10150ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101550000 | 0x101550000 | 0x10155ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101560000 | 0x101560000 | 0x10165ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000101660000 | 0x101660000 | 0x1016dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c0a000 | 0x7ff617c0a000 | 0x7ff617c0bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c0c000 | 0x7ff617c0c000 | 0x7ff617c0dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c0e000 | 0x7ff617c0e000 | 0x7ff617c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c10000 | 0x7ff617c10000 | 0x7ff617c11fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c12000 | 0x7ff617c12000 | 0x7ff617c13fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c14000 | 0x7ff617c14000 | 0x7ff617c15fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c16000 | 0x7ff617c16000 | 0x7ff617c17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c18000 | 0x7ff617c18000 | 0x7ff617c19fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1a000 | 0x7ff617c1a000 | 0x7ff617c1bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1c000 | 0x7ff617c1c000 | 0x7ff617c1dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1e000 | 0x7ff617c1e000 | 0x7ff617c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617c20000 | 0x7ff617c20000 | 0x7ff617d1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617d20000 | 0x7ff617d20000 | 0x7ff617d42fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617d44000 | 0x7ff617d44000 | 0x7ff617d45fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d46000 | 0x7ff617d46000 | 0x7ff617d47fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d48000 | 0x7ff617d48000 | 0x7ff617d49fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d4a000 | 0x7ff617d4a000 | 0x7ff617d4bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d4c000 | 0x7ff617d4c000 | 0x7ff617d4cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d4e000 | 0x7ff617d4e000 | 0x7ff617d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| csystemeventsbrokerclient.dll | 0x7ffd17a50000 | 0x7ffd17a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ktmw32.dll | 0x7ffd17a60000 | 0x7ffd17a6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ubpm.dll | 0x7ffd17a70000 | 0x7ffd17aa4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| schedsvc.dll | 0x7ffd17ab0000 | 0x7ffd17bd9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shsvcs.dll | 0x7ffd17be0000 | 0x7ffd17c7cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| credentialmigrationhandler.dll | 0x7ffd18170000 | 0x7ffd1817bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| settingsynccore.dll | 0x7ffd18290000 | 0x7ffd1834bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wmiclnt.dll | 0x7ffd18350000 | 0x7ffd1835dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcd.dll | 0x7ffd18970000 | 0x7ffd18989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fveapi.dll | 0x7ffd18990000 | 0x7ffd18a42fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| idstore.dll | 0x7ffd18d30000 | 0x7ffd18d53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x7ffd18ec0000 | 0x7ffd18eddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shacct.dll | 0x7ffd18ee0000 | 0x7ffd18f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmcss.dll | 0x7ffd18f10000 | 0x7ffd18f35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sens.dll | 0x7ffd19270000 | 0x7ffd19286fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x7ffd19290000 | 0x7ffd19298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| atl.dll | 0x7ffd192c0000 | 0x7ffd192dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x7ffd19380000 | 0x7ffd193a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profsvcext.dll | 0x7ffd193b0000 | 0x7ffd193d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| themeservice.dll | 0x7ffd193e0000 | 0x7ffd193f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profsvc.dll | 0x7ffd19400000 | 0x7ffd1943afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpsvc.dll | 0x7ffd19440000 | 0x7ffd19586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x7ffd19590000 | 0x7ffd195a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7ffd195e0000 | 0x7ffd19646fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sysntfy.dll | 0x7ffd1bb90000 | 0x7ffd1bb9afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| hid.dll | 0x7ffd1bed0000 | 0x7ffd1bedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pcwum.dll | 0x7ffd1bee0000 | 0x7ffd1beedfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| authz.dll | 0x7ffd1bf60000 | 0x7ffd1bfa7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| eventaggregation.dll | 0x7ffd1c090000 | 0x7ffd1c09afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dabapi.dll | 0x7ffd1c0a0000 | 0x7ffd1c0a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| logoncli.dll | 0x7ffd1c350000 | 0x7ffd1c38cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x7ffd1f3b0000 | 0x7ffd1f409fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 282 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x350 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
354
0x
358
0x
35C
0x
360
0x
364
0x
36C
0x
390
0x
3AC
0x
3B0
0x
3F8
0x
338
0x
38C
0x
5A4
0x
714
0x
72C
0x
7A0
0x
7A8
0x
7D0
0x
7E0
0x
4B0
0x
4CC
0x
534
0x
554
0x
500
0x
14C
0x
5F8
0x
5FC
0x
2B0
0x
2AC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| ~fontcache-s-1-5-21-3643094112-4209292109-138530109-1001.dat | 0x7d80000000 | 0x7d807fffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000007d80800000 | 0x7d80800000 | 0x7d808fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80900000 | 0x7d80900000 | 0x7d8097ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80980000 | 0x7d80980000 | 0x7d809fffff | Private Memory | Readable, Writable |
|
|
|
|
| netprofmsvc.dll.mui | 0x7d80a00000 | 0x7d80a01fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007d80a10000 | 0x7d80a10000 | 0x7d80a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80a90000 | 0x7d80a90000 | 0x7d80b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d80b10000 | 0x7d80b10000 | 0x7d80b11fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d80b20000 | 0x7d80b20000 | 0x7d80b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80b20000 | 0x7d80b20000 | 0x7d80b20fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d80b20000 | 0x7d80b20000 | 0x7d80b20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d80b60000 | 0x7d80b60000 | 0x7d80b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80b70000 | 0x7d80b70000 | 0x7d80beffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80bf0000 | 0x7d80bf0000 | 0x7d80c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80c70000 | 0x7d80c70000 | 0x7d80ceffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80cf0000 | 0x7d80cf0000 | 0x7d80d6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80d70000 | 0x7d80d70000 | 0x7d80deffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80df0000 | 0x7d80df0000 | 0x7d80e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80e70000 | 0x7d80e70000 | 0x7d80eeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80ef0000 | 0x7d80ef0000 | 0x7d80f6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d80f70000 | 0x7d80f70000 | 0x7d8116ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfd200000 | 0x7dfd200000 | 0x7dfd21ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd200000 | 0x7dfd200000 | 0x7dfd20ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfd210000 | 0x7dfd210000 | 0x7dfd216fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd220000 | 0x7dfd220000 | 0x7dfd22efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007dfd230000 | 0x7dfd230000 | 0x7dfd2affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd2b0000 | 0x7dfd2b0000 | 0x7dfd2b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007dfd2c0000 | 0x7dfd2c0000 | 0x7dfd2c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007dfd2d0000 | 0x7dfd2d0000 | 0x7dfd2d1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfd2e0000 | 0x7dfd2e0000 | 0x7dfd2e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd2f0000 | 0x7dfd2f0000 | 0x7dfd2f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007dfd300000 | 0x7dfd300000 | 0x7dfd300fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfd310000 | 0x7dfd310000 | 0x7dfd40ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x7dfd410000 | 0x7dfd48dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007dfd490000 | 0x7dfd490000 | 0x7dfd5cffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x7dfd490000 | 0x7dfd549fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007dfd490000 | 0x7dfd490000 | 0x7dfd54ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007dfd550000 | 0x7dfd550000 | 0x7dfd550fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfd560000 | 0x7dfd560000 | 0x7dfd560fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd570000 | 0x7dfd570000 | 0x7dfd570fff | Pagefile Backed Memory | Readable |
|
|
|
|
| es.dll | 0x7dfd580000 | 0x7dfd590fff | Memory Mapped File | Readable |
|
|
|
|
| stdole2.tlb | 0x7dfd5a0000 | 0x7dfd5a3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007dfd5c0000 | 0x7dfd5c0000 | 0x7dfd5cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007dfd5d0000 | 0x7dfd5d0000 | 0x7dfd757fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007dfd760000 | 0x7dfd760000 | 0x7dfd8e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007dfd8f0000 | 0x7dfd8f0000 | 0x7dfdce9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007dfdcf0000 | 0x7dfdcf0000 | 0x7dfdd6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfdd70000 | 0x7dfdd70000 | 0x7dfddeffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x7dfddf0000 | 0x7dfe0c4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007dfe0d0000 | 0x7dfe0d0000 | 0x7dfe14ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfe150000 | 0x7dfe150000 | 0x7dfe1cffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x7dfe1d0000 | 0x7dfe346fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007dfe1d0000 | 0x7dfe1d0000 | 0x7dfe24ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfe250000 | 0x7dfe250000 | 0x7dfe34ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfe350000 | 0x7dfe350000 | 0x7dfe3cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfe3d0000 | 0x7dfe3d0000 | 0x7dfe44ffff | Private Memory | Readable, Writable |
|
|
|
|
| ~fontcache-fontface.dat | 0x7dfe450000 | 0x7dff44ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000007dff450000 | 0x7dff450000 | 0x7dff54ffff | Private Memory | Readable, Writable |
|
|
|
|
| ~fontcache-system.dat | 0x7dff550000 | 0x7dff5f4fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| ~fontcache-s-1-5-18.dat | 0x7dff600000 | 0x7dffdfffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000007dffe00000 | 0x7dffe00000 | 0x7dffe7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dffe80000 | 0x7dffe80000 | 0x7dffefffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfff00000 | 0x7dfff00000 | 0x7dfff7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007dfff80000 | 0x7dfff80000 | 0x7dffffffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c0c000 | 0x7ff617c0c000 | 0x7ff617c0dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c0e000 | 0x7ff617c0e000 | 0x7ff617c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c10000 | 0x7ff617c10000 | 0x7ff617c11fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c12000 | 0x7ff617c12000 | 0x7ff617c13fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c14000 | 0x7ff617c14000 | 0x7ff617c15fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c16000 | 0x7ff617c16000 | 0x7ff617c17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c18000 | 0x7ff617c18000 | 0x7ff617c19fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1a000 | 0x7ff617c1a000 | 0x7ff617c1bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1c000 | 0x7ff617c1c000 | 0x7ff617c1dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c1e000 | 0x7ff617c1e000 | 0x7ff617c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c20000 | 0x7ff617c20000 | 0x7ff617c21fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c22000 | 0x7ff617c22000 | 0x7ff617c23fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c24000 | 0x7ff617c24000 | 0x7ff617c25fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c26000 | 0x7ff617c26000 | 0x7ff617c27fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c28000 | 0x7ff617c28000 | 0x7ff617c29fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c2a000 | 0x7ff617c2a000 | 0x7ff617c2bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c2c000 | 0x7ff617c2c000 | 0x7ff617c2dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617c2e000 | 0x7ff617c2e000 | 0x7ff617c2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617c30000 | 0x7ff617c30000 | 0x7ff617d2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617d30000 | 0x7ff617d30000 | 0x7ff617d52fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617d53000 | 0x7ff617d53000 | 0x7ff617d54fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d55000 | 0x7ff617d55000 | 0x7ff617d56fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d57000 | 0x7ff617d57000 | 0x7ff617d58fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d59000 | 0x7ff617d59000 | 0x7ff617d5afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d5b000 | 0x7ff617d5b000 | 0x7ff617d5cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d5d000 | 0x7ff617d5d000 | 0x7ff617d5dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617d5e000 | 0x7ff617d5e000 | 0x7ff617d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x7ffd13010000 | 0x7ffd1301dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wer.dll | 0x7ffd13070000 | 0x7ffd130f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| perftrack.dll | 0x7ffd131e0000 | 0x7ffd132f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofmsvc.dll | 0x7ffd13470000 | 0x7ffd134f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wdi.dll | 0x7ffd13500000 | 0x7ffd1351afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x7ffd13520000 | 0x7ffd13528fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x7ffd18180000 | 0x7ffd18198fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc6.dll | 0x7ffd181a0000 | 0x7ffd181b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsisvc.dll | 0x7ffd184a0000 | 0x7ffd184abfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fntcache.dll | 0x7ffd18f40000 | 0x7ffd1908cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| es.dll | 0x7ffd19300000 | 0x7ffd19377fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x7ffd19590000 | 0x7ffd195a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| aepic.dll | 0x7ffd1a130000 | 0x7ffd1a14bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winhttp.dll | 0x7ffd1a150000 | 0x7ffd1a214fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sfc_os.dll | 0x7ffd1a3a0000 | 0x7ffd1a3affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pcwum.dll | 0x7ffd1bee0000 | 0x7ffd1beedfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sxs.dll | 0x7ffd1cba0000 | 0x7ffd1cc36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
37C
0x
384
0x
38C
0x
398
0x
39C
0x
3B8
0x
6F0
0x
700
0x
704
0x
708
0x
70C
0x
710
0x
718
0x
720
0x
7F0
0x
7F8
0x
3A4
0x
73C
0x
43C
0x
A10
0x
A14
0x
A20
0x
A24
0x
510
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000a2ea520000 | 0xa2ea520000 | 0xa2ea53ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea520000 | 0xa2ea520000 | 0xa2ea52ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2ea530000 | 0xa2ea530000 | 0xa2ea536fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea540000 | 0xa2ea540000 | 0xa2ea54efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a2ea550000 | 0xa2ea550000 | 0xa2ea5cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea5d0000 | 0xa2ea5d0000 | 0xa2ea5d3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a2ea5e0000 | 0xa2ea5e0000 | 0xa2ea5e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a2ea5f0000 | 0xa2ea5f0000 | 0xa2ea5f1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xa2ea600000 | 0xa2ea67dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2ea680000 | 0xa2ea680000 | 0xa2ea77ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2ea780000 | 0xa2ea780000 | 0xa2ea97ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xa2ea780000 | 0xa2ea839fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2ea780000 | 0xa2ea780000 | 0xa2ea786fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea790000 | 0xa2ea790000 | 0xa2ea917fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a2ea920000 | 0xa2ea920000 | 0xa2ea922fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a2ea930000 | 0xa2ea930000 | 0xa2ea930fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2ea940000 | 0xa2ea940000 | 0xa2ea940fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2ea950000 | 0xa2ea950000 | 0xa2ea950fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea960000 | 0xa2ea960000 | 0xa2ea960fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a2ea970000 | 0xa2ea970000 | 0xa2ea97ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2ea980000 | 0xa2ea980000 | 0xa2eab00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a2eab10000 | 0xa2eab10000 | 0xa2eabcffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a2eabd0000 | 0xa2eabd0000 | 0xa2eafc9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a2eafd0000 | 0xa2eafd0000 | 0xa2eb04ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb050000 | 0xa2eb050000 | 0xa2eb0cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a2eb050000 | 0xa2eb050000 | 0xa2eb050fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a2eb060000 | 0xa2eb060000 | 0xa2eb060fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb070000 | 0xa2eb070000 | 0xa2eb070fff | Private Memory | Readable, Writable |
|
|
|
|
| mmdevapi.dll.mui | 0xa2eb080000 | 0xa2eb080fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2eb090000 | 0xa2eb090000 | 0xa2eb090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb090000 | 0xa2eb090000 | 0xa2eb096fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb0a0000 | 0xa2eb0a0000 | 0xa2eb0a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb0a0000 | 0xa2eb0a0000 | 0xa2eb0a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb0a0000 | 0xa2eb0a0000 | 0xa2eb0a2fff | Private Memory | Readable, Writable |
|
|
|
|
| pfsvperfstats.bin | 0xa2eb0a0000 | 0xa2eb0a0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2eb0a0000 | 0xa2eb0a0000 | 0xa2eb0c7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb0b0000 | 0xa2eb0b0000 | 0xa2eb0b1fff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xa2eb0d0000 | 0xa2eb3a4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2eb3b0000 | 0xa2eb3b0000 | 0xa2eb42ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb3b0000 | 0xa2eb3b0000 | 0xa2eb3e0fff | Private Memory | Readable, Writable |
|
|
|
|
| thumbnailextractionhost.exe-64f19b6a.pf | 0xa2eb3b0000 | 0xa2eb3b3fff | Memory Mapped File | Readable |
|
|
|
|
| sppsvc.exe-cbe91656.pf | 0xa2eb3b0000 | 0xa2eb3c5fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a2eb3b0000 | 0xa2eb3b0000 | 0xa2eb3d8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb430000 | 0xa2eb430000 | 0xa2eb4affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb4b0000 | 0xa2eb4b0000 | 0xa2eb52ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb530000 | 0xa2eb530000 | 0xa2eb5affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb5b0000 | 0xa2eb5b0000 | 0xa2eb62ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb630000 | 0xa2eb630000 | 0xa2eb6affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb6b0000 | 0xa2eb6b0000 | 0xa2eb72ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb730000 | 0xa2eb730000 | 0xa2eb7affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb7b0000 | 0xa2eb7b0000 | 0xa2eb8affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb8b0000 | 0xa2eb8b0000 | 0xa2eb9cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb8b0000 | 0xa2eb8b0000 | 0xa2eb92ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb930000 | 0xa2eb930000 | 0xa2eb9affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb9b0000 | 0xa2eb9b0000 | 0xa2eb9cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a2eb9d0000 | 0xa2eb9d0000 | 0xa3eb9cffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0xa3eb9d0000 | 0xa3ebb46fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a3eb9d0000 | 0xa3eb9d0000 | 0xa3ebacffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a3ebad0000 | 0xa3ebad0000 | 0xa3ebb4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a3ebb50000 | 0xa3ebb50000 | 0xa3ebc4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a3ebc50000 | 0xa3ebc50000 | 0xa3ebccffff | Private Memory | Readable, Writable |
|
|
|
|
| taskhost.exe-9d9f554c.pf | 0xa3ebc50000 | 0xa3ebc5dfff | Memory Mapped File | Readable |
|
|
|
|
| svchost.exe-135a30d8.pf | 0xa3ebc50000 | 0xa3ebc54fff | Memory Mapped File | Readable |
|
|
|
|
| mobsync.exe-d8bc6ed2.pf | 0xa3ebc50000 | 0xa3ebc56fff | Memory Mapped File | Readable |
|
|
|
|
| audiodg.exe-d0d776ac.pf | 0xa3ebc50000 | 0xa3ebc55fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a3ebcd0000 | 0xa3ebcd0000 | 0xa3ebcd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| dllhost.exe-74cfcb84.pf | 0xa3ebce0000 | 0xa3ebce6fff | Memory Mapped File | Readable |
|
|
|
|
| armsvc.exe-28c8c2ba.pf | 0xa3ebce0000 | 0xa3ebce3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a3ebcf0000 | 0xa3ebcf0000 | 0xa3ebeeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a3ebef0000 | 0xa3ebef0000 | 0xa3ebf88fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617560000 | 0x7ff617560000 | 0x7ff617561fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617562000 | 0x7ff617562000 | 0x7ff617563fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617564000 | 0x7ff617564000 | 0x7ff617565fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617566000 | 0x7ff617566000 | 0x7ff617567fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617568000 | 0x7ff617568000 | 0x7ff617569fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61756a000 | 0x7ff61756a000 | 0x7ff61756bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61756c000 | 0x7ff61756c000 | 0x7ff61756dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61756e000 | 0x7ff61756e000 | 0x7ff61756ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617570000 | 0x7ff617570000 | 0x7ff61766ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617670000 | 0x7ff617670000 | 0x7ff617692fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617693000 | 0x7ff617693000 | 0x7ff617694fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617695000 | 0x7ff617695000 | 0x7ff617696fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617697000 | 0x7ff617697000 | 0x7ff617698fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617699000 | 0x7ff617699000 | 0x7ff617699fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61769a000 | 0x7ff61769a000 | 0x7ff61769bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61769c000 | 0x7ff61769c000 | 0x7ff61769dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61769e000 | 0x7ff61769e000 | 0x7ff61769ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| portabledeviceconnectapi.dll | 0x7ffd12ba0000 | 0x7ffd12bb4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| portabledeviceapi.dll | 0x7ffd12e20000 | 0x7ffd12ec5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| brokerlib.dll | 0x7ffd12fa0000 | 0x7ffd12fc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x7ffd13010000 | 0x7ffd1301dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wpdbusenum.dll | 0x7ffd13100000 | 0x7ffd13117fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ncbservice.dll | 0x7ffd13160000 | 0x7ffd13188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| systemeventsbrokerclient.dll | 0x7ffd137c0000 | 0x7ffd137c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sysmain.dll | 0x7ffd13c60000 | 0x7ffd13d92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofm.dll | 0x7ffd15310000 | 0x7ffd1534cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| actxprxy.dll | 0x7ffd167a0000 | 0x7ffd16a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinapi.dll | 0x7ffd17840000 | 0x7ffd178f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| trkwks.dll | 0x7ffd18dd0000 | 0x7ffd18df1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pcasvc.dll | 0x7ffd18e00000 | 0x7ffd18e75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audioendpointbuilder.dll | 0x7ffd19090000 | 0x7ffd190c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bi.dll | 0x7ffd19f40000 | 0x7ffd19f4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| aepic.dll | 0x7ffd1a130000 | 0x7ffd1a14bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sfc_os.dll | 0x7ffd1a3a0000 | 0x7ffd1a3affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wintrust.dll | 0x7ffd1d000000 | 0x7ffd1d04dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x7ffd1db40000 | 0x7ffd1dd15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 2 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:56 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xe0 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
100
0x
FC
0x
108
0x
150
0x
1D8
0x
214
0x
128
0x
234
0x
238
0x
250
0x
5E0
0x
5E8
0x
61C
0x
6A4
0x
6EC
0x
6F8
0x
71C
0x
724
0x
730
0x
738
0x
744
0x
748
0x
6F4
0x
4A4
0x
48C
0x
7C4
0x
818
0x
82C
0x
86C
0x
870
0x
87C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000bd845c0000 | 0xbd845c0000 | 0xbd845dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd845c0000 | 0xbd845c0000 | 0xbd845cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd845d0000 | 0xbd845d0000 | 0xbd845d6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd845e0000 | 0xbd845e0000 | 0xbd845eefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd845f0000 | 0xbd845f0000 | 0xbd8466ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd84670000 | 0xbd84670000 | 0xbd84673fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd84680000 | 0xbd84680000 | 0xbd84680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd84690000 | 0xbd84690000 | 0xbd84691fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xbd846a0000 | 0xbd8471dfff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0xbd84720000 | 0xbd847d9fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bd84720000 | 0xbd84720000 | 0xbd84726fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd84730000 | 0xbd84730000 | 0xbd847effff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd847f0000 | 0xbd847f0000 | 0xbd848effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd848f0000 | 0xbd848f0000 | 0xbd849effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd848f0000 | 0xbd848f0000 | 0xbd848f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd84900000 | 0xbd84900000 | 0xbd84900fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd84910000 | 0xbd84910000 | 0xbd84910fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd84920000 | 0xbd84920000 | 0xbd84920fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd84930000 | 0xbd84930000 | 0xbd849affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd849b0000 | 0xbd849b0000 | 0xbd849b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd849b0000 | 0xbd849b0000 | 0xbd849b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd849c0000 | 0xbd849c0000 | 0xbd849c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd849d0000 | 0xbd849d0000 | 0xbd849d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd849e0000 | 0xbd849e0000 | 0xbd849effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd849f0000 | 0xbd849f0000 | 0xbd84b77fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd84b80000 | 0xbd84b80000 | 0xbd84d00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd84d10000 | 0xbd84d10000 | 0xbd85109fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd85110000 | 0xbd85110000 | 0xbd8518ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xbd85190000 | 0xbd85464fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bd85470000 | 0xbd85470000 | 0xbd854effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd854f0000 | 0xbd854f0000 | 0xbd8556ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85570000 | 0xbd85570000 | 0xbd855effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd855f0000 | 0xbd855f0000 | 0xbd8566ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85670000 | 0xbd85670000 | 0xbd856effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd856f0000 | 0xbd856f0000 | 0xbd857bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd856f0000 | 0xbd856f0000 | 0xbd8576ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85770000 | 0xbd85770000 | 0xbd85770fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85770000 | 0xbd85770000 | 0xbd85776fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd857b0000 | 0xbd857b0000 | 0xbd857bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd857c0000 | 0xbd857c0000 | 0xbd8583ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85840000 | 0xbd85840000 | 0xbd8593ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85940000 | 0xbd85940000 | 0xbd859bffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0xbd859c0000 | 0xbd85b36fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bd859c0000 | 0xbd859c0000 | 0xbd85a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85a40000 | 0xbd85a40000 | 0xbd85abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85ac0000 | 0xbd85ac0000 | 0xbd85b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85b40000 | 0xbd85b40000 | 0xbd85cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85b40000 | 0xbd85b40000 | 0xbd85c3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85c40000 | 0xbd85c40000 | 0xbd85cbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85cd0000 | 0xbd85cd0000 | 0xbd85cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85ce0000 | 0xbd85ce0000 | 0xbd85d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85d60000 | 0xbd85d60000 | 0xbd85ddffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85de0000 | 0xbd85de0000 | 0xbd85edffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85ee0000 | 0xbd85ee0000 | 0xbd85f5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85f60000 | 0xbd85f60000 | 0xbd8604ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd85f60000 | 0xbd85f60000 | 0xbd85fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd86040000 | 0xbd86040000 | 0xbd8604ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd86050000 | 0xbd86050000 | 0xbd8614ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd86150000 | 0xbd86150000 | 0xbd861cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd861d0000 | 0xbd861d0000 | 0xbd8624ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617230000 | 0x7ff617230000 | 0x7ff617231fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617232000 | 0x7ff617232000 | 0x7ff617233fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617234000 | 0x7ff617234000 | 0x7ff617235fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617236000 | 0x7ff617236000 | 0x7ff617237fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617238000 | 0x7ff617238000 | 0x7ff617239fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61723a000 | 0x7ff61723a000 | 0x7ff61723bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61723c000 | 0x7ff61723c000 | 0x7ff61723dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61723e000 | 0x7ff61723e000 | 0x7ff61723ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617240000 | 0x7ff617240000 | 0x7ff617241fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617242000 | 0x7ff617242000 | 0x7ff617243fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617244000 | 0x7ff617244000 | 0x7ff617245fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617246000 | 0x7ff617246000 | 0x7ff617247fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617248000 | 0x7ff617248000 | 0x7ff617249fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61724a000 | 0x7ff61724a000 | 0x7ff61724bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61724c000 | 0x7ff61724c000 | 0x7ff61724dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61724e000 | 0x7ff61724e000 | 0x7ff61724ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617250000 | 0x7ff617250000 | 0x7ff61734ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617350000 | 0x7ff617350000 | 0x7ff617372fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617374000 | 0x7ff617374000 | 0x7ff617375fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617376000 | 0x7ff617376000 | 0x7ff617377fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617378000 | 0x7ff617378000 | 0x7ff617379fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61737a000 | 0x7ff61737a000 | 0x7ff61737bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61737c000 | 0x7ff61737c000 | 0x7ff61737dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61737e000 | 0x7ff61737e000 | 0x7ff61737efff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkssvc.dll | 0x7ffd158a0000 | 0x7ffd158e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x7ffd18180000 | 0x7ffd18198fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc6.dll | 0x7ffd181a0000 | 0x7ffd181b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsext.dll | 0x7ffd181c0000 | 0x7ffd181c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x7ffd18220000 | 0x7ffd18286fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wmiclnt.dll | 0x7ffd18350000 | 0x7ffd1835dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsrslvr.dll | 0x7ffd18380000 | 0x7ffd183c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wlanapi.dll | 0x7ffd184e0000 | 0x7ffd1852bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vssapi.dll | 0x7ffd18530000 | 0x7ffd186affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcd.dll | 0x7ffd18970000 | 0x7ffd18989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samcli.dll | 0x7ffd18d10000 | 0x7ffd18d26fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vsstrace.dll | 0x7ffd18db0000 | 0x7ffd18dc5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x7ffd18ec0000 | 0x7ffd18eddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x7ffd19290000 | 0x7ffd19298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| es.dll | 0x7ffd19300000 | 0x7ffd19377fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7ffd195e0000 | 0x7ffd19646fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ssdpapi.dll | 0x7ffd1a110000 | 0x7ffd1a122fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winhttp.dll | 0x7ffd1a150000 | 0x7ffd1a214fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ncsi.dll | 0x7ffd1a220000 | 0x7ffd1a27bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlasvc.dll | 0x7ffd1a280000 | 0x7ffd1a2e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptcatsvc.dll | 0x7ffd1a2f0000 | 0x7ffd1a30efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypttpmeksvc.dll | 0x7ffd1a3b0000 | 0x7ffd1a3bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsvc.dll | 0x7ffd1a3c0000 | 0x7ffd1a3e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netjoin.dll | 0x7ffd1c7a0000 | 0x7ffd1c7effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntasn1.dll | 0x7ffd1c800000 | 0x7ffd1c839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ncrypt.dll | 0x7ffd1c840000 | 0x7ffd1c863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 83 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:56 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x118 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
14C
0x
190
0x
180
0x
17C
0x
10C
0x
210
0x
11C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000038520b0000 | 0x38520b0000 | 0x38520cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000038520b0000 | 0x38520b0000 | 0x38520bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000038520c0000 | 0x38520c0000 | 0x38520c6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000038520d0000 | 0x38520d0000 | 0x38520defff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000038520e0000 | 0x38520e0000 | 0x38521dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000038521e0000 | 0x38521e0000 | 0x38521e3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000038521f0000 | 0x38521f0000 | 0x38521f1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x3852200000 | 0x385227dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000003852280000 | 0x3852280000 | 0x38522affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852280000 | 0x3852280000 | 0x3852286fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000003852290000 | 0x3852290000 | 0x3852290fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000038522a0000 | 0x38522a0000 | 0x38522affff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x38522b0000 | 0x3852369fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000038522b0000 | 0x38522b0000 | 0x38522b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000038522c0000 | 0x38522c0000 | 0x385237ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000003852380000 | 0x3852380000 | 0x3852380fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852390000 | 0x3852390000 | 0x3852390fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000038523c0000 | 0x38523c0000 | 0x38524bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000038524c0000 | 0x38524c0000 | 0x3852647fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000003852650000 | 0x3852650000 | 0x38527d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x38527e0000 | 0x3852ab4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000003852ac0000 | 0x3852ac0000 | 0x3852bbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852bc0000 | 0x3852bc0000 | 0x3852cbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852cc0000 | 0x3852cc0000 | 0x3852dbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852dc0000 | 0x3852dc0000 | 0x3852ebffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000003852ec0000 | 0x3852ec0000 | 0x3852fbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff60bc00000 | 0x7ff60bc00000 | 0x7ff60bcfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff60bd00000 | 0x7ff60bd00000 | 0x7ff60bd22fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff60bd23000 | 0x7ff60bd23000 | 0x7ff60bd24fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd25000 | 0x7ff60bd25000 | 0x7ff60bd26fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd27000 | 0x7ff60bd27000 | 0x7ff60bd28fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd29000 | 0x7ff60bd29000 | 0x7ff60bd2afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd2b000 | 0x7ff60bd2b000 | 0x7ff60bd2cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd2d000 | 0x7ff60bd2d000 | 0x7ff60bd2efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bd2f000 | 0x7ff60bd2f000 | 0x7ff60bd2ffff | Private Memory | Readable, Writable |
|
|
|
|
| dllhost.exe | 0x7ff60bd90000 | 0x7ff60bd96fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| idstore.dll | 0x7ffd18d30000 | 0x7ffd18d53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:55 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x3dc |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
3D0
0x
134
0x
108
0x
410
0x
430
0x
BC8
0x
BCC
0x
BD0
0x
BD4
0x
BD8
0x
BDC
0x
BE0
0x
BE4
0x
BF0
0x
BF4
0x
BF8
0x
BFC
0x
808
0x
80C
0x
48C
0x
50C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000860000 | 0x00860000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x00876fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000900000 | 0x00900000 | 0x00902fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000910000 | 0x00910000 | 0x00910fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000920000 | 0x00920000 | 0x00920fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00a30000 | 0x00aadfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00c37fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00dc0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00e8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x01289fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001290000 | 0x01290000 | 0x01290fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012a0000 | 0x012a0000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012a0000 | 0x012a0000 | 0x012a6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012b0000 | 0x012b0000 | 0x012b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000012d0000 | 0x012d0000 | 0x0130ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001310000 | 0x01310000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x01350000 | 0x01409fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001350000 | 0x01350000 | 0x0141ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001350000 | 0x01350000 | 0x01350fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001350000 | 0x01350000 | 0x0138ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001350000 | 0x01350000 | 0x01350fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001360000 | 0x01360000 | 0x01360fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001370000 | 0x01370000 | 0x01376fff | Private Memory | Readable, Writable |
|
|
|
|
| c_printer.inf | 0x01380000 | 0x01380fff | Memory Mapped File | Readable |
|
|
|
|
| tzres.dll | 0x01380000 | 0x01381fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001380000 | 0x01380000 | 0x01380fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001390000 | 0x01390000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000013d0000 | 0x013d0000 | 0x0140ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01420000 | 0x016f4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001700000 | 0x01700000 | 0x017fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001800000 | 0x01800000 | 0x018fffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x01900000 | 0x01a76fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001900000 | 0x01900000 | 0x0193ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001940000 | 0x01940000 | 0x0197ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001980000 | 0x01980000 | 0x019bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000019c0000 | 0x019c0000 | 0x019fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001a00000 | 0x01a00000 | 0x01a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001a40000 | 0x01a40000 | 0x01a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001a80000 | 0x01a80000 | 0x01b80fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001a80000 | 0x01a80000 | 0x01abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01afffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001b00000 | 0x01b00000 | 0x01b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| tzres.dll.mui | 0x01b40000 | 0x01b47fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00007ff668c10000 | 0x7ff668c10000 | 0x7ff668c11fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c12000 | 0x7ff668c12000 | 0x7ff668c13fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c14000 | 0x7ff668c14000 | 0x7ff668c15fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c16000 | 0x7ff668c16000 | 0x7ff668c17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c18000 | 0x7ff668c18000 | 0x7ff668c19fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c1a000 | 0x7ff668c1a000 | 0x7ff668c1bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c1c000 | 0x7ff668c1c000 | 0x7ff668c1dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668c1e000 | 0x7ff668c1e000 | 0x7ff668c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff668c20000 | 0x7ff668c20000 | 0x7ff668d1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff668d20000 | 0x7ff668d20000 | 0x7ff668d42fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff668d43000 | 0x7ff668d43000 | 0x7ff668d44fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d45000 | 0x7ff668d45000 | 0x7ff668d46fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d47000 | 0x7ff668d47000 | 0x7ff668d48fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d49000 | 0x7ff668d49000 | 0x7ff668d4afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d4b000 | 0x7ff668d4b000 | 0x7ff668d4cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d4d000 | 0x7ff668d4d000 | 0x7ff668d4efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff668d4f000 | 0x7ff668d4f000 | 0x7ff668d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| spoolsv.exe | 0x7ff669b50000 | 0x7ff669c15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| inetpp.dll | 0x7ffd113a0000 | 0x7ffd113cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devrtl.dll | 0x7ffd113d0000 | 0x7ffd113e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| win32spl.dll | 0x7ffd113f0000 | 0x7ffd114b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| drvstore.dll | 0x7ffd114c0000 | 0x7ffd11578fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| webservices.dll | 0x7ffd11580000 | 0x7ffd116e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsdapi.dll | 0x7ffd116f0000 | 0x7ffd1178afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winprint.dll | 0x7ffd11890000 | 0x7ffd1189dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fdpnp.dll | 0x7ffd118a0000 | 0x7ffd118b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fundisc.dll | 0x7ffd118c0000 | 0x7ffd118e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsdmon.dll | 0x7ffd118f0000 | 0x7ffd1193bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usbmon.dll | 0x7ffd11940000 | 0x7ffd11988fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsnmp32.dll | 0x7ffd11990000 | 0x7ffd119a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| snmpapi.dll | 0x7ffd119b0000 | 0x7ffd119bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tcpmon.dll | 0x7ffd119c0000 | 0x7ffd119f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| localspl.dll | 0x7ffd11a00000 | 0x7ffd11b00fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fxsmon.dll | 0x7ffd12040000 | 0x7ffd1204efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| printisolationproxy.dll | 0x7ffd12050000 | 0x7ffd12061fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| spoolss.dll | 0x7ffd12070000 | 0x7ffd12081fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x7ffd13520000 | 0x7ffd13528fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cscapi.dll | 0x7ffd152c0000 | 0x7ffd152cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x7ffd15990000 | 0x7ffd15a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x7ffd18220000 | 0x7ffd18286fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x7ffd19290000 | 0x7ffd19298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| atl.dll | 0x7ffd192c0000 | 0x7ffd192dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| firewallapi.dll | 0x7ffd1bbd0000 | 0x7ffd1bc85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| spinf.dll | 0x7ffd1c040000 | 0x7ffd1c05cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wintrust.dll | 0x7ffd1d000000 | 0x7ffd1d04dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x7ffd1db40000 | 0x7ffd1dd15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\userinit.exe |
| Command Line | C:\Windows\system32\userinit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:55 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x3f8 |
| Parent PID | 0x1a8 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3FC
0x
78C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000009582c0000 | 0x9582c0000 | 0x9582dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000009582c0000 | 0x9582c0000 | 0x9582cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000009582d0000 | 0x9582d0000 | 0x9582d6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000009582e0000 | 0x9582e0000 | 0x9582eefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000009582f0000 | 0x9582f0000 | 0x95836ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000958370000 | 0x958370000 | 0x958373fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000958380000 | 0x958380000 | 0x958380fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000958390000 | 0x958390000 | 0x958391fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x9583a0000 | 0x95841dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000958420000 | 0x958420000 | 0x958426fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000958430000 | 0x958430000 | 0x95852ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000958530000 | 0x958530000 | 0x9586fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000958530000 | 0x958530000 | 0x9586b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000009586c0000 | 0x9586c0000 | 0x9586c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000009586d0000 | 0x9586d0000 | 0x9586d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000009586e0000 | 0x9586e0000 | 0x9586e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000009586f0000 | 0x9586f0000 | 0x9586fffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x958700000 | 0x958733fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000958700000 | 0x958700000 | 0x958880fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000958890000 | 0x958890000 | 0x959c8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000959c90000 | 0x959c90000 | 0x95a089fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000095a090000 | 0x95a090000 | 0x95a090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000095a0a0000 | 0x95a0a0000 | 0x95a1affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000095a0a0000 | 0x95a0a0000 | 0x95a0a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000095a0a0000 | 0x95a0a0000 | 0x95a18ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000095a190000 | 0x95a190000 | 0x95a193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000095a1a0000 | 0x95a1a0000 | 0x95a1affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000095a1b0000 | 0x95a1b0000 | 0x95a1b6fff | Private Memory | Readable, Writable |
|
|
|
|
| sysmain.sdb | 0x95a1c0000 | 0x95a223fff | Memory Mapped File | Readable |
|
|
|
|
| explorer.exe | 0x7ff640f40000 | 0x7ff641175fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00007ff788940000 | 0x7ff788940000 | 0x7ff788a3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff788a40000 | 0x7ff788a40000 | 0x7ff788a62fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff788a6a000 | 0x7ff788a6a000 | 0x7ff788a6afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff788a6e000 | 0x7ff788a6e000 | 0x7ff788a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| userinit.exe | 0x7ff788ea0000 | 0x7ff788ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userinitext.dll | 0x7ffd17900000 | 0x7ffd17908fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpapi.dll | 0x7ffd1b9e0000 | 0x7ffd1b9e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x234 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
404
0x
834
0x
840
0x
844
0x
864
0x
868
0x
898
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000c25ce80000 | 0xc25ce80000 | 0xc25ce9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25ce80000 | 0xc25ce80000 | 0xc25ce8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25ce90000 | 0xc25ce90000 | 0xc25ce96fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25cea0000 | 0xc25cea0000 | 0xc25ceaefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c25ceb0000 | 0xc25ceb0000 | 0xc25cf2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25cf30000 | 0xc25cf30000 | 0xc25cf33fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c25cf40000 | 0xc25cf40000 | 0xc25cf40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c25cf50000 | 0xc25cf50000 | 0xc25cf51fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xc25cf60000 | 0xc25cfddfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c25cfe0000 | 0xc25cfe0000 | 0xc25cfe6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25cff0000 | 0xc25cff0000 | 0xc25cff2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c25d000000 | 0xc25d000000 | 0xc25d000fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d010000 | 0xc25d010000 | 0xc25d10ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d110000 | 0xc25d110000 | 0xc25d2dffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0xc25d110000 | 0xc25d286fff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0xc25d110000 | 0xc25d1c9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000c25d110000 | 0xc25d110000 | 0xc25d297fff | Pagefile Backed Memory | Readable |
|
|
|
|
| taskhost.exe.mui | 0xc25d2a0000 | 0xc25d2a0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c25d2b0000 | 0xc25d2b0000 | 0xc25d2b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d2c0000 | 0xc25d2c0000 | 0xc25d2c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d2d0000 | 0xc25d2d0000 | 0xc25d2dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25d2e0000 | 0xc25d2e0000 | 0xc25d460fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c25d470000 | 0xc25d470000 | 0xc25d52ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c25d530000 | 0xc25d530000 | 0xc25d5affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d5b0000 | 0xc25d5b0000 | 0xc25d62ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c25d630000 | 0xc25d630000 | 0xc25d6affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25d6b0000 | 0xc25d6b0000 | 0xc25d6b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c25d6c0000 | 0xc25d6c0000 | 0xc25d6c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xc25d6d0000 | 0xc25d9a4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c25d9b0000 | 0xc25d9b0000 | 0xc25da2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c25da30000 | 0xc25da30000 | 0xc25da32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c25da40000 | 0xc25da40000 | 0xc25dabffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7f3f90000 | 0x7ff7f3f90000 | 0x7ff7f408ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7f4090000 | 0x7ff7f4090000 | 0x7ff7f40b2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7f40b3000 | 0x7ff7f40b3000 | 0x7ff7f40b4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40b5000 | 0x7ff7f40b5000 | 0x7ff7f40b6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40b7000 | 0x7ff7f40b7000 | 0x7ff7f40b7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40b8000 | 0x7ff7f40b8000 | 0x7ff7f40b9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40ba000 | 0x7ff7f40ba000 | 0x7ff7f40bbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40bc000 | 0x7ff7f40bc000 | 0x7ff7f40bdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f40be000 | 0x7ff7f40be000 | 0x7ff7f40bffff | Private Memory | Readable, Writable |
|
|
|
|
| taskhost.exe | 0x7ff7f4a20000 | 0x7ff7f4a35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| certenroll.dll | 0x7ffd11980000 | 0x7ffd11be0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| certca.dll | 0x7ffd11bf0000 | 0x7ffd11ce3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pautoenr.dll | 0x7ffd11cf0000 | 0x7ffd11d02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dimsjob.dll | 0x7ffd11d40000 | 0x7ffd11d4cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x7ffd13010000 | 0x7ffd1301dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netcfgx.dll | 0x7ffd13530000 | 0x7ffd135a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofm.dll | 0x7ffd15310000 | 0x7ffd1534cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x7ffd19290000 | 0x7ffd19298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpapi.dll | 0x7ffd1b9e0000 | 0x7ffd1b9e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x7ffd1f3b0000 | 0x7ffd1f409fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x418 |
| Parent PID | 0x3f8 (c:\windows\system32\userinit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
41C
0x
470
0x
474
0x
478
0x
47C
0x
480
0x
484
0x
488
0x
490
0x
49C
0x
4A8
0x
4AC
0x
4B0
0x
4B4
0x
4B8
0x
4D0
0x
4D4
0x
4D8
0x
4DC
0x
4F4
0x
504
0x
508
0x
50C
0x
510
0x
514
0x
518
0x
51C
0x
520
0x
524
0x
528
0x
52C
0x
530
0x
534
0x
538
0x
53C
0x
540
0x
544
0x
548
0x
54C
0x
550
0x
554
0x
560
0x
564
0x
568
0x
56C
0x
570
0x
578
0x
57C
0x
580
0x
584
0x
588
0x
58C
0x
594
0x
5A8
0x
5AC
0x
5B0
0x
5D4
0x
5D8
0x
5EC
0x
5F0
0x
5F4
0x
614
0x
618
0x
640
0x
648
0x
654
0x
664
0x
668
0x
680
0x
67C
0x
684
0x
690
0x
694
0x
69C
0x
6A0
0x
6B0
0x
438
0x
880
0x
884
0x
888
0x
88C
0x
89C
0x
668
0x
460
0x
45C
0x
4A0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d80000 | 0x00d80000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d90000 | 0x00d90000 | 0x00d96fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000db0000 | 0x00db0000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e33fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e42fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000e60000 | 0x00e60000 | 0x00f5ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00f60000 | 0x00fddfff | Memory Mapped File | Readable |
|
|
|
|
| sysmain.sdb | 0x00fe0000 | 0x01043fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x00ff0000 | 0x01023fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001010000 | 0x01010000 | 0x01010fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001030000 | 0x01030000 | 0x01033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001040000 | 0x01040000 | 0x01046fff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x01050000 | 0x01109fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001070000 | 0x01070000 | 0x01070fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x01090000 | 0x01093fff | Memory Mapped File | Readable |
|
|
|
|
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000002f.db | 0x010a0000 | 0x010bffff | Memory Mapped File | Readable |
|
|
|
|
| cversions.1.db | 0x010c0000 | 0x010c3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db | 0x010d0000 | 0x010e6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001100000 | 0x01100000 | 0x01100fff | Private Memory | Readable, Writable |
|
|
|
|
| cversions.1.db | 0x01100000 | 0x01103fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x01120000 | 0x01296fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000001120000 | 0x01120000 | 0x012a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000012b0000 | 0x012b0000 | 0x01430fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001440000 | 0x01440000 | 0x0283ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002840000 | 0x02840000 | 0x02c39fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002c40000 | 0x02c40000 | 0x02e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002c40000 | 0x02c40000 | 0x02d2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002d30000 | 0x02d30000 | 0x02daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002db0000 | 0x02db0000 | 0x02db0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002db0000 | 0x02db0000 | 0x02db1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x02dc0000 | 0x02dc0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002dc0000 | 0x02dc0000 | 0x02dc1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002dd0000 | 0x02dd0000 | 0x02dd1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| oleaccrc.dll | 0x02de0000 | 0x02de0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002df0000 | 0x02df0000 | 0x02df0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002e00000 | 0x02e00000 | 0x02e00fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002e10000 | 0x02e10000 | 0x02e10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002e20000 | 0x02e20000 | 0x02e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02e30000 | 0x03104fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003110000 | 0x03110000 | 0x0318ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003190000 | 0x03190000 | 0x0320ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003210000 | 0x03210000 | 0x0328ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003290000 | 0x03290000 | 0x0330ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003310000 | 0x03310000 | 0x0338ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003390000 | 0x03390000 | 0x0340ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003410000 | 0x03410000 | 0x03410fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000003420000 | 0x03420000 | 0x03422fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000003430000 | 0x03430000 | 0x034affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000034b0000 | 0x034b0000 | 0x035affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000035b0000 | 0x035b0000 | 0x035b1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000035c0000 | 0x035c0000 | 0x035effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000035c0000 | 0x035c0000 | 0x035cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000035d0000 | 0x035d0000 | 0x035dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000035e0000 | 0x035e0000 | 0x035effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000035f0000 | 0x035f0000 | 0x035f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003600000 | 0x03600000 | 0x03600fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003610000 | 0x03610000 | 0x03610fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003620000 | 0x03620000 | 0x03620fff | Private Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x03630000 | 0x0449ffff | Memory Mapped File | Readable |
|
|
|
|
| comctl32.dll.mui | 0x044a0000 | 0x044a2fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00007ff6404aa000 | 0x7ff6404aa000 | 0x7ff6404abfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6404ac000 | 0x7ff6404ac000 | 0x7ff6404adfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6404ae000 | 0x7ff6404ae000 | 0x7ff6404affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6404b0000 | 0x7ff6404b0000 | 0x7ff6405affff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6405b0000 | 0x7ff6405b0000 | 0x7ff6405d2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6405d3000 | 0x7ff6405d3000 | 0x7ff6405d4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405d5000 | 0x7ff6405d5000 | 0x7ff6405d6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405d7000 | 0x7ff6405d7000 | 0x7ff6405d8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405d9000 | 0x7ff6405d9000 | 0x7ff6405dafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405db000 | 0x7ff6405db000 | 0x7ff6405dcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405dd000 | 0x7ff6405dd000 | 0x7ff6405defff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6405df000 | 0x7ff6405df000 | 0x7ff6405dffff | Private Memory | Readable, Writable |
|
|
|
|
| explorer.exe | 0x7ff640f40000 | 0x7ff641175fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| actxprxy.dll | 0x7ffd167a0000 | 0x7ffd16a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinapi.appcore.dll | 0x7ffd16a50000 | 0x7ffd16addfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinui.dll | 0x7ffd16ae0000 | 0x7ffd17777fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| settingsyncpolicy.dll | 0x7ffd17780000 | 0x7ffd1778cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinapi.dll | 0x7ffd17840000 | 0x7ffd178f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windows.ui.immersive.dll | 0x7ffd18a90000 | 0x7ffd18c2afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| idstore.dll | 0x7ffd18d30000 | 0x7ffd18d53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x7ffd18ec0000 | 0x7ffd18eddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x7ffd19d80000 | 0x7ffd19f12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dcomp.dll | 0x7ffd1a340000 | 0x7ffd1a399fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x7ffd1a420000 | 0x7ffd1a66cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x7ffd1a670000 | 0x7ffd1a6eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x7ffd1a6f0000 | 0x7ffd1a8f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleacc.dll | 0x7ffd1a970000 | 0x7ffd1a9d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcp47langs.dll | 0x7ffd1ad20000 | 0x7ffd1ad7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sppc.dll | 0x7ffd1ad80000 | 0x7ffd1ada1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| slc.dll | 0x7ffd1adb0000 | 0x7ffd1addafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sndvolsso.dll | 0x7ffd1ae50000 | 0x7ffd1ae8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| duser.dll | 0x7ffd1ae90000 | 0x7ffd1af30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dui70.dll | 0x7ffd1b1d0000 | 0x7ffd1b37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| hid.dll | 0x7ffd1bed0000 | 0x7ffd1bedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 553 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\system32\taskhostex.exe |
| Command Line | taskhostex.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x420 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
424
0x
434
0x
458
0x
464
0x
468
0x
46C
0x
64C
0x
658
0x
65C
0x
660
0x
6D8
0x
6DC
0x
8B4
0x
8E0
0x
8F8
0x
904
0x
91C
0x
928
0x
940
0x
94C
0x
968
0x
974
0x
98C
0x
998
0x
9B0
0x
9BC
0x
9F0
0x
9FC
0x
A28
0x
A34
0x
A4C
0x
A58
0x
A70
0x
A7C
0x
A94
0x
AA0
0x
AB8
0x
AC4
0x
ADC
0x
AE8
0x
B00
0x
B0C
0x
B24
0x
B30
0x
B4C
0x
B5C
0x
B68
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000002a6c750000 | 0x2a6c750000 | 0x2a6c76ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6c750000 | 0x2a6c750000 | 0x2a6c75ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6c760000 | 0x2a6c760000 | 0x2a6c766fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6c770000 | 0x2a6c770000 | 0x2a6c77efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6c780000 | 0x2a6c780000 | 0x2a6c7fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6c800000 | 0x2a6c800000 | 0x2a6c803fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6c810000 | 0x2a6c810000 | 0x2a6c810fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6c820000 | 0x2a6c820000 | 0x2a6c821fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x2a6c830000 | 0x2a6c8adfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002a6c8b0000 | 0x2a6c8b0000 | 0x2a6c8b6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6c8c0000 | 0x2a6c8c0000 | 0x2a6c93ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6c940000 | 0x2a6c940000 | 0x2a6c942fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6c950000 | 0x2a6c950000 | 0x2a6ca4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6ca50000 | 0x2a6ca50000 | 0x2a6cbeffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x2a6ca50000 | 0x2a6cbc6fff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x2a6ca50000 | 0x2a6cb09fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002a6ca50000 | 0x2a6ca50000 | 0x2a6cbd7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6cbe0000 | 0x2a6cbe0000 | 0x2a6cbeffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x2a6cbf0000 | 0x2a6cc23fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002a6cbf0000 | 0x2a6cbf0000 | 0x2a6cd70fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6cd80000 | 0x2a6cd80000 | 0x2a6e17ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6e180000 | 0x2a6e180000 | 0x2a6e180fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskhostex.exe.mui | 0x2a6e190000 | 0x2a6e190fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002a6e1a0000 | 0x2a6e1a0000 | 0x2a6e1a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e1b0000 | 0x2a6e1b0000 | 0x2a6e1b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e1c0000 | 0x2a6e1c0000 | 0x2a6e24ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6e1c0000 | 0x2a6e1c0000 | 0x2a6e1c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6e1c0000 | 0x2a6e1c0000 | 0x2a6e1c3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6e1d0000 | 0x2a6e1d0000 | 0x2a6e1d6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6e1e0000 | 0x2a6e1e0000 | 0x2a6e1e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6e1f0000 | 0x2a6e1f0000 | 0x2a6e1f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002a6e200000 | 0x2a6e200000 | 0x2a6e200fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6e210000 | 0x2a6e210000 | 0x2a6e210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e220000 | 0x2a6e220000 | 0x2a6e220fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e230000 | 0x2a6e230000 | 0x2a6e230fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e240000 | 0x2a6e240000 | 0x2a6e24ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6e250000 | 0x2a6e250000 | 0x2a6e33ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6e340000 | 0x2a6e340000 | 0x2a6e3bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e3c0000 | 0x2a6e3c0000 | 0x2a6e43ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e440000 | 0x2a6e440000 | 0x2a6e4bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e4c0000 | 0x2a6e4c0000 | 0x2a6e53ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6e540000 | 0x2a6e540000 | 0x2a6e5bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6e5c0000 | 0x2a6e5c0000 | 0x2a6e9b9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002a6e9c0000 | 0x2a6e9c0000 | 0x2a6ea3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6ea40000 | 0x2a6ea40000 | 0x2a6eabffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6eac0000 | 0x2a6eac0000 | 0x2a6ebbffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x2a6ebc0000 | 0x2a6ee94fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002a6eea0000 | 0x2a6eea0000 | 0x2a6ef9ffff | Private Memory | Readable, Writable |
|
|
|
|
| wdmaud.drv.mui | 0x2a6efa0000 | 0x2a6efa0fff | Memory Mapped File | Readable |
|
|
|
|
| hdaudio.pnf | 0x2a6efb0000 | 0x2a6efcffff | Memory Mapped File | Readable |
|
|
|
|
| mmdevapi.dll.mui | 0x2a6efb0000 | 0x2a6efb0fff | Memory Mapped File | Readable |
|
|
|
|
| hdaudio.pnf | 0x2a6efc0000 | 0x2a6efdffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002a6efc0000 | 0x2a6efc0000 | 0x2a6f03ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6efc0000 | 0x2a6efc0000 | 0x2a6efc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6efc0000 | 0x2a6efc0000 | 0x2a6efc1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6efd0000 | 0x2a6efd0000 | 0x2a6efd0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6f040000 | 0x2a6f040000 | 0x2a6f041fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6f050000 | 0x2a6f050000 | 0x2a6f059fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6f060000 | 0x2a6f060000 | 0x2a6f060fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002a6f060000 | 0x2a6f060000 | 0x2a6f061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002a6f070000 | 0x2a6f070000 | 0x2a6f070fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755426000 | 0x7ff755426000 | 0x7ff755427fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755428000 | 0x7ff755428000 | 0x7ff755429fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75542a000 | 0x7ff75542a000 | 0x7ff75542bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75542c000 | 0x7ff75542c000 | 0x7ff75542dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75542e000 | 0x7ff75542e000 | 0x7ff75542ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff755430000 | 0x7ff755430000 | 0x7ff75552ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff755530000 | 0x7ff755530000 | 0x7ff755552fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff755554000 | 0x7ff755554000 | 0x7ff755555fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755556000 | 0x7ff755556000 | 0x7ff755557fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff755558000 | 0x7ff755558000 | 0x7ff755559fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75555a000 | 0x7ff75555a000 | 0x7ff75555bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75555c000 | 0x7ff75555c000 | 0x7ff75555cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff75555e000 | 0x7ff75555e000 | 0x7ff75555ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskhostex.exe | 0x7ff755c10000 | 0x7ff755c24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| midimap.dll | 0x7ffd13bd0000 | 0x7ffd13bd9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msacm32.dll | 0x7ffd13be0000 | 0x7ffd13bfafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msacm32.drv | 0x7ffd13c00000 | 0x7ffd13c0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ksuser.dll | 0x7ffd13c10000 | 0x7ffd13c17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wdmaud.drv | 0x7ffd13c20000 | 0x7ffd13c5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| esent.dll | 0x7ffd15360000 | 0x7ffd15610fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audioses.dll | 0x7ffd15900000 | 0x7ffd15975fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msutb.dll | 0x7ffd17790000 | 0x7ffd17803fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctfmonitor.dll | 0x7ffd17810000 | 0x7ffd1781afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| playsndsrv.dll | 0x7ffd17820000 | 0x7ffd17838fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe USER |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x438 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
43C
0x
48C
0x
4A0
0x
4A4
0x
66C
0x
670
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000006ee2680000 | 0x6ee2680000 | 0x6ee269ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ee2680000 | 0x6ee2680000 | 0x6ee268ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee2690000 | 0x6ee2690000 | 0x6ee2696fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ee26a0000 | 0x6ee26a0000 | 0x6ee26aefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ee26b0000 | 0x6ee26b0000 | 0x6ee272ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ee2730000 | 0x6ee2730000 | 0x6ee2733fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee2740000 | 0x6ee2740000 | 0x6ee2740fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ee2750000 | 0x6ee2750000 | 0x6ee2751fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x6ee2760000 | 0x6ee27ddfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ee27e0000 | 0x6ee27e0000 | 0x6ee27e6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x6ee27f0000 | 0x6ee2823fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000006ee27f0000 | 0x6ee27f0000 | 0x6ee27f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee2800000 | 0x6ee2800000 | 0x6ee2800fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskhost.exe.mui | 0x6ee2810000 | 0x6ee2810fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ee2820000 | 0x6ee2820000 | 0x6ee2820fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee2830000 | 0x6ee2830000 | 0x6ee292ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee2930000 | 0x6ee2930000 | 0x6ee2a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x6ee2930000 | 0x6ee29e9fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ee2930000 | 0x6ee2930000 | 0x6ee29affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee29b0000 | 0x6ee29b0000 | 0x6ee29b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee29c0000 | 0x6ee29c0000 | 0x6ee29cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ee29d0000 | 0x6ee29d0000 | 0x6ee29d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee29d0000 | 0x6ee29d0000 | 0x6ee29d3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ee29e0000 | 0x6ee29e0000 | 0x6ee29e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006ee29f0000 | 0x6ee29f0000 | 0x6ee29f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee2a00000 | 0x6ee2a00000 | 0x6ee2a00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ee2a60000 | 0x6ee2a60000 | 0x6ee2a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x6ee2a70000 | 0x6ee2be6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000006ee2a70000 | 0x6ee2a70000 | 0x6ee2bf7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee2c00000 | 0x6ee2c00000 | 0x6ee2d80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee2d90000 | 0x6ee2d90000 | 0x6ee418ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006ee4190000 | 0x6ee4190000 | 0x6ee427ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006ee4280000 | 0x6ee4280000 | 0x6ee42fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee4300000 | 0x6ee4300000 | 0x6ee437ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x6ee4380000 | 0x6ee4654fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006ee4660000 | 0x6ee4660000 | 0x6ee46dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006ee46e0000 | 0x6ee46e0000 | 0x6ee475ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7f4680000 | 0x7ff7f4680000 | 0x7ff7f477ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7f4780000 | 0x7ff7f4780000 | 0x7ff7f47a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7f47a3000 | 0x7ff7f47a3000 | 0x7ff7f47a4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47a5000 | 0x7ff7f47a5000 | 0x7ff7f47a6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47a7000 | 0x7ff7f47a7000 | 0x7ff7f47a8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47a9000 | 0x7ff7f47a9000 | 0x7ff7f47a9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47aa000 | 0x7ff7f47aa000 | 0x7ff7f47abfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47ac000 | 0x7ff7f47ac000 | 0x7ff7f47adfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f47ae000 | 0x7ff7f47ae000 | 0x7ff7f47affff | Private Memory | Readable, Writable |
|
|
|
|
| taskhost.exe | 0x7ff7f4a20000 | 0x7ff7f4a35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| npmproxy.dll | 0x7ffd13010000 | 0x7ffd1301dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netprofm.dll | 0x7ffd15310000 | 0x7ffd1534cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dimsjob.dll | 0x7ffd163d0000 | 0x7ffd163dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x440 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
494
0x
498
0x
4BC
0x
4E4
0x
4E8
0x
4EC
0x
500
0x
558
0x
55C
0x
574
0x
590
0x
5B4
0x
5B8
0x
5DC
0x
5E4
0x
60C
0x
610
0x
6B4
0x
6E8
0x
7A4
0x
7F4
0x
4F8
0x
180
0x
618
0x
5E0
0x
67C
0x
2C4
0x
3A0
0x
6F0
0x
704
0x
7A8
0x
854
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000000ffdc20000 | 0xffdc20000 | 0xffdc3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ffdc20000 | 0xffdc20000 | 0xffdc2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffdc30000 | 0xffdc30000 | 0xffdc36fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ffdc40000 | 0xffdc40000 | 0xffdc4efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ffdc50000 | 0xffdc50000 | 0xffdccffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ffdcd0000 | 0xffdcd0000 | 0xffdcd3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ffdce0000 | 0xffdce0000 | 0xffdce0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ffdcf0000 | 0xffdcf0000 | 0xffdcf1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xffdd00000 | 0xffdd7dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000ffdd80000 | 0xffdd80000 | 0xffdd86fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ffdd90000 | 0xffdd90000 | 0xffdd92fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ffdda0000 | 0xffdda0000 | 0xffdda0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffddb0000 | 0xffddb0000 | 0xffddb0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffddc0000 | 0xffddc0000 | 0xffddc0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffddd0000 | 0xffddd0000 | 0xffddd6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffdde0000 | 0xffdde0000 | 0xffdde0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffdde0000 | 0xffdde0000 | 0xffddeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffddf0000 | 0xffddf0000 | 0xffddf0fff | Private Memory | Readable, Writable |
|
|
|
|
| resources.pri | 0xffde00000 | 0xffde02fff | Memory Mapped File | Readable |
|
|
|
|
| wifidisplay.dll.mui | 0xffde00000 | 0xffde00fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ffde10000 | 0xffde10000 | 0xffde10fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ffde20000 | 0xffde20000 | 0xffde20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ffde30000 | 0xffde30000 | 0xffdf2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffdf30000 | 0xffdf30000 | 0xffe0effff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xffdf30000 | 0xffdfe9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ffdf30000 | 0xffdf30000 | 0xffe0b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| 754694702.pri | 0xffe0c0000 | 0xffe0c0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000ffe0c0000 | 0xffe0c0000 | 0xffe0c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffe0d0000 | 0xffe0d0000 | 0xffe0d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffe0d0000 | 0xffe0d0000 | 0xffe0d7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffe0e0000 | 0xffe0e0000 | 0xffe0effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ffe0f0000 | 0xffe0f0000 | 0xffe270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ffe280000 | 0xffe280000 | 0xffe33ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ffe340000 | 0xffe340000 | 0xffe739fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ffe740000 | 0xffe740000 | 0xffe7bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffe7c0000 | 0xffe7c0000 | 0xffe83ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xffe840000 | 0xffeb14fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000ffeb20000 | 0xffeb20000 | 0xffeb9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb20000 | 0xffeb20000 | 0xffeb20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb30000 | 0xffeb30000 | 0xffeb30fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb40000 | 0xffeb40000 | 0xffeb40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb50000 | 0xffeb50000 | 0xffeb50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb60000 | 0xffeb60000 | 0xffeb61fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb70000 | 0xffeb70000 | 0xffeb70fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb80000 | 0xffeb80000 | 0xffeb80fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeb90000 | 0xffeb90000 | 0xffeb9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeba0000 | 0xffeba0000 | 0xffec1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffec20000 | 0xffec20000 | 0xffed1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffed20000 | 0xffed20000 | 0xffed9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeda0000 | 0xffeda0000 | 0xffee1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffee20000 | 0xffee20000 | 0xffee9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffeea0000 | 0xffeea0000 | 0xffef1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffef20000 | 0xffef20000 | 0xffef9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ffefa0000 | 0xffefa0000 | 0xfff01ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff020000 | 0xfff020000 | 0xfff09ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff0a0000 | 0xfff0a0000 | 0xfff11ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff120000 | 0xfff120000 | 0xfff19ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff1a0000 | 0xfff1a0000 | 0xfff21ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff220000 | 0xfff220000 | 0xfff29ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff2a0000 | 0xfff2a0000 | 0xfff31ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff320000 | 0xfff320000 | 0xfff41ffff | Private Memory | Readable, Writable |
|
|
|
|
| oleaut32.dll | 0xfff420000 | 0xfff4d5fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000fff420000 | 0xfff420000 | 0xfff49ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff4a0000 | 0xfff4a0000 | 0xfff51ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff520000 | 0xfff520000 | 0xfff520fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff530000 | 0xfff530000 | 0xfff530fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff540000 | 0xfff540000 | 0xfff542fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff550000 | 0xfff550000 | 0xfff550fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff560000 | 0xfff560000 | 0xfff561fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff570000 | 0xfff570000 | 0xfff571fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff580000 | 0xfff580000 | 0xfff580fff | Private Memory | Readable, Writable |
|
|
|
|
| resources.en-us.pri | 0xfff590000 | 0xfff590fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000fff590000 | 0xfff590000 | 0xfff68ffff | Private Memory | Readable, Writable |
|
|
|
|
| resources.en-us.pri | 0xfff690000 | 0xfff690fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000fff690000 | 0xfff690000 | 0xfff6a2fff | Private Memory |
|
|
|
|
|
| wifidisplay.dll | 0xfff690000 | 0xfff6acfff | Memory Mapped File | Readable |
|
|
|
|
| wifidisplay.dll | 0xfff690000 | 0xfff6acfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000fff690000 | 0xfff690000 | 0xfff88ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fff890000 | 0xfff890000 | 0xfffa8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000fffa90000 | 0xfffa90000 | 0xfffaa2fff | Private Memory |
|
|
|
|
|
| private_0x00007ff6180f6000 | 0x7ff6180f6000 | 0x7ff6180f7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6180f8000 | 0x7ff6180f8000 | 0x7ff6180f9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6180fa000 | 0x7ff6180fa000 | 0x7ff6180fbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6180fc000 | 0x7ff6180fc000 | 0x7ff6180fdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6180fe000 | 0x7ff6180fe000 | 0x7ff6180fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618100000 | 0x7ff618100000 | 0x7ff618101fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618102000 | 0x7ff618102000 | 0x7ff618103fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618104000 | 0x7ff618104000 | 0x7ff618105fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618106000 | 0x7ff618106000 | 0x7ff618107fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618108000 | 0x7ff618108000 | 0x7ff618109fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61810a000 | 0x7ff61810a000 | 0x7ff61810bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61810c000 | 0x7ff61810c000 | 0x7ff61810dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61810e000 | 0x7ff61810e000 | 0x7ff61810ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff618110000 | 0x7ff618110000 | 0x7ff61820ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff618210000 | 0x7ff618210000 | 0x7ff618232fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff618234000 | 0x7ff618234000 | 0x7ff618235fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618236000 | 0x7ff618236000 | 0x7ff618237fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff618238000 | 0x7ff618238000 | 0x7ff618239fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61823a000 | 0x7ff61823a000 | 0x7ff61823afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61823c000 | 0x7ff61823c000 | 0x7ff61823dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61823e000 | 0x7ff61823e000 | 0x7ff61823ffff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mrmcorer.dll | 0x7ffd14f60000 | 0x7ffd15041fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wfapigp.dll | 0x7ffd15350000 | 0x7ffd15359fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x7ffd15690000 | 0x7ffd157eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adhapi.dll | 0x7ffd158f0000 | 0x7ffd158f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpssvc.dll | 0x7ffd15e20000 | 0x7ffd15ef8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bfe.dll | 0x7ffd163f0000 | 0x7ffd164bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x7ffd18180000 | 0x7ffd18198fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc6.dll | 0x7ffd181a0000 | 0x7ffd181b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x7ffd18220000 | 0x7ffd18286fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7ffd195b0000 | 0x7ffd195dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7ffd195e0000 | 0x7ffd19646fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dps.dll | 0x7ffd1a310000 | 0x7ffd1a33cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcp47langs.dll | 0x7ffd1ad20000 | 0x7ffd1ad7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| firewallapi.dll | 0x7ffd1bbd0000 | 0x7ffd1bc85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gpapi.dll | 0x7ffd1bea0000 | 0x7ffd1bec2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pcwum.dll | 0x7ffd1bee0000 | 0x7ffd1beedfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| authz.dll | 0x7ffd1bf60000 | 0x7ffd1bfa7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x7ffd1c390000 | 0x7ffd1c432fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 74 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x450 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
454
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000092c9d30000 | 0x92c9d30000 | 0x92c9d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092c9d30000 | 0x92c9d30000 | 0x92c9d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000092c9d40000 | 0x92c9d40000 | 0x92c9d46fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092c9d50000 | 0x92c9d50000 | 0x92c9d5efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000092c9d60000 | 0x92c9d60000 | 0x92ca15ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092ca160000 | 0x92ca160000 | 0x92ca163fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca170000 | 0x92ca170000 | 0x92ca171fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000092ca180000 | 0x92ca180000 | 0x92ca181fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x92ca190000 | 0x92ca20dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000092ca210000 | 0x92ca210000 | 0x92ca216fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x92ca220000 | 0x92ca253fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000092ca220000 | 0x92ca220000 | 0x92ca220fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000092ca230000 | 0x92ca230000 | 0x92ca230fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x92ca240000 | 0x92ca240fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000092ca240000 | 0x92ca240000 | 0x92ca240fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca240000 | 0x92ca240000 | 0x92ca243fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca250000 | 0x92ca250000 | 0x92ca251fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x92ca260000 | 0x92ca319fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000092ca260000 | 0x92ca260000 | 0x92ca266fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000092ca270000 | 0x92ca270000 | 0x92ca270fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092ca280000 | 0x92ca280000 | 0x92ca282fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca280000 | 0x92ca280000 | 0x92ca280fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000092ca290000 | 0x92ca290000 | 0x92ca290fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092ca2a0000 | 0x92ca2a0000 | 0x92ca2a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca2a0000 | 0x92ca2a0000 | 0x92ca2a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca2b0000 | 0x92ca2b0000 | 0x92ca2b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| user32.dll.mui | 0x92ca2c0000 | 0x92ca2c4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000092ca2d0000 | 0x92ca2d0000 | 0x92ca313fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| sysmain.sdb | 0x92ca2d0000 | 0x92ca333fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000092ca340000 | 0x92ca340000 | 0x92ca73ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000092ca740000 | 0x92ca740000 | 0x92ca90ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092ca740000 | 0x92ca740000 | 0x92ca8c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092ca8d0000 | 0x92ca8d0000 | 0x92ca8f4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000092ca900000 | 0x92ca900000 | 0x92ca90ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092ca910000 | 0x92ca910000 | 0x92caa90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000092caaa0000 | 0x92caaa0000 | 0x92cbe9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000092cbea0000 | 0x92cbea0000 | 0x92cc03ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000092cbea0000 | 0x92cbea0000 | 0x92cbf8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000092cc030000 | 0x92cc030000 | 0x92cc03ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000092cc040000 | 0x92cc040000 | 0x92cc13ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x92cc140000 | 0x92cc240fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x92cc140000 | 0x92cc414fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000092cc420000 | 0x92cc420000 | 0x92cc911fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x92cc920000 | 0x92cd78ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000092cd790000 | 0x92cd790000 | 0x92cd9a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x92cd9b0000 | 0x92d0845fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000092d0850000 | 0x92d0850000 | 0x92d0c49fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000092d0c50000 | 0x92d0c50000 | 0x92d0d5dfff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x92d0c50000 | 0x92d0d58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00007ff6ce680000 | 0x7ff6ce680000 | 0x7ff6ce77ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce780000 | 0x7ff6ce780000 | 0x7ff6ce7a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce7ad000 | 0x7ff6ce7ad000 | 0x7ff6ce7aefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce7af000 | 0x7ff6ce7af000 | 0x7ff6ce7affff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\program files\microsoft office\office15\msoia.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\msoia.exe" scan upload |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x45c |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
460
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| msvcp100.dll | 0x5e630000 | 0x5e6c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x5e6d0000 | 0x5e7a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000008a68910000 | 0x8a68910000 | 0x8a6892ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008a68910000 | 0x8a68910000 | 0x8a6891ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68920000 | 0x8a68920000 | 0x8a68926fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008a68930000 | 0x8a68930000 | 0x8a6893efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008a68940000 | 0x8a68940000 | 0x8a68a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008a68a40000 | 0x8a68a40000 | 0x8a68a43fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000008a68a50000 | 0x8a68a50000 | 0x8a68a51fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x8a68a60000 | 0x8a68addfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008a68ae0000 | 0x8a68ae0000 | 0x8a68ae6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68af0000 | 0x8a68af0000 | 0x8a68af6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x8a68b00000 | 0x8a68b33fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000008a68b00000 | 0x8a68b00000 | 0x8a68b00fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68b10000 | 0x8a68b10000 | 0x8a68b10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68b20000 | 0x8a68b20000 | 0x8a68b20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68b30000 | 0x8a68b30000 | 0x8a68b30fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68b60000 | 0x8a68b60000 | 0x8a68c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68c60000 | 0x8a68c60000 | 0x8a68d2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000008a68d30000 | 0x8a68d30000 | 0x8a68dfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000008a68e00000 | 0x8a68e00000 | 0x8a68f87fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008a68f90000 | 0x8a68f90000 | 0x8a69110fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000008a69120000 | 0x8a69120000 | 0x8a6a51ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7cc8d0000 | 0x7ff7cc8d0000 | 0x7ff7cc9cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7cc9d0000 | 0x7ff7cc9d0000 | 0x7ff7cc9f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7cc9fd000 | 0x7ff7cc9fd000 | 0x7ff7cc9fefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7cc9ff000 | 0x7ff7cc9ff000 | 0x7ff7cc9fffff | Private Memory | Readable, Writable |
|
|
|
|
| msoia.exe | 0x7ff7cccf0000 | 0x7ff7ccd4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe TpmTasks |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:52 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x4c0 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4C4
0x
4A0
0x
83C
0x
874
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000007aeffa0000 | 0x7aeffa0000 | 0x7aeffbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007aeffa0000 | 0x7aeffa0000 | 0x7aeffaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007aeffb0000 | 0x7aeffb0000 | 0x7aeffb6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007aeffc0000 | 0x7aeffc0000 | 0x7aeffcefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007aeffd0000 | 0x7aeffd0000 | 0x7af004ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007af0050000 | 0x7af0050000 | 0x7af0053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007af0060000 | 0x7af0060000 | 0x7af0060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007af0070000 | 0x7af0070000 | 0x7af0071fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af0080000 | 0x7af0080000 | 0x7af019ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af0080000 | 0x7af0080000 | 0x7af0086fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007af0090000 | 0x7af0090000 | 0x7af0092fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007af00a0000 | 0x7af00a0000 | 0x7af019ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x7af01a0000 | 0x7af021dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007af0220000 | 0x7af0220000 | 0x7af025ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007af0220000 | 0x7af0220000 | 0x7af0220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskhost.exe.mui | 0x7af0230000 | 0x7af0230fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007af0240000 | 0x7af0240000 | 0x7af0240fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af0250000 | 0x7af0250000 | 0x7af025ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x7af0260000 | 0x7af03d6fff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x7af0260000 | 0x7af0319fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007af0260000 | 0x7af0260000 | 0x7af03e7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007af03f0000 | 0x7af03f0000 | 0x7af0570fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007af0580000 | 0x7af0580000 | 0x7af063ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007af0640000 | 0x7af0640000 | 0x7af0640fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af0650000 | 0x7af0650000 | 0x7af06cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af06d0000 | 0x7af06d0000 | 0x7af074ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007af0750000 | 0x7af0750000 | 0x7af0750fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007af0760000 | 0x7af0760000 | 0x7af0760fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007af0770000 | 0x7af0770000 | 0x7af07effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007af07f0000 | 0x7af07f0000 | 0x7af07f0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7f3f40000 | 0x7ff7f3f40000 | 0x7ff7f403ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7f4040000 | 0x7ff7f4040000 | 0x7ff7f4062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7f4064000 | 0x7ff7f4064000 | 0x7ff7f4064fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f4068000 | 0x7ff7f4068000 | 0x7ff7f4069fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f406a000 | 0x7ff7f406a000 | 0x7ff7f406bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f406c000 | 0x7ff7f406c000 | 0x7ff7f406dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f406e000 | 0x7ff7f406e000 | 0x7ff7f406ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskhost.exe | 0x7ff7f4a20000 | 0x7ff7f4a35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tbs.dll | 0x7ffd11970000 | 0x7ffd1197afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| tpmtasks.dll | 0x7ffd11d10000 | 0x7ffd11d3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wevtapi.dll | 0x7ffd195e0000 | 0x7ffd19646fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| aepic.dll | 0x7ffd1a130000 | 0x7ffd1a14bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sfc_os.dll | 0x7ffd1a3a0000 | 0x7ffd1a3affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntasn1.dll | 0x7ffd1c800000 | 0x7ffd1c839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ncrypt.dll | 0x7ffd1c840000 | 0x7ffd1c863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:50 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x598 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
59C
0x
5BC
0x
5C0
0x
5C4
0x
5C8
0x
5CC
0x
5D0
0x
608
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000005b48a30000 | 0x5b48a30000 | 0x5b48a4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48a30000 | 0x5b48a30000 | 0x5b48a3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48a40000 | 0x5b48a40000 | 0x5b48a46fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48a50000 | 0x5b48a50000 | 0x5b48a5efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005b48a60000 | 0x5b48a60000 | 0x5b48b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48b60000 | 0x5b48b60000 | 0x5b48b63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005b48b70000 | 0x5b48b70000 | 0x5b48b71fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48b80000 | 0x5b48b80000 | 0x5b48b86fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48b90000 | 0x5b48b90000 | 0x5b48c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x5b48c90000 | 0x5b48d0dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b48d10000 | 0x5b48d10000 | 0x5b48e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x5b48d10000 | 0x5b48dc9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000005b48d10000 | 0x5b48d10000 | 0x5b48d10fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005b48d20000 | 0x5b48d20000 | 0x5b48d20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imm32.dll | 0x5b48d30000 | 0x5b48d63fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b48d30000 | 0x5b48d30000 | 0x5b48d30fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48d40000 | 0x5b48d40000 | 0x5b48d40fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48d50000 | 0x5b48d50000 | 0x5b48d50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005b48d50000 | 0x5b48d50000 | 0x5b48d53fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005b48d60000 | 0x5b48d60000 | 0x5b48d66fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48d70000 | 0x5b48d70000 | 0x5b48d70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48d80000 | 0x5b48d80000 | 0x5b48d80fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48d90000 | 0x5b48d90000 | 0x5b48d90fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48da0000 | 0x5b48da0000 | 0x5b48dfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48da0000 | 0x5b48da0000 | 0x5b48daffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48db0000 | 0x5b48db0000 | 0x5b48dbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48dc0000 | 0x5b48dc0000 | 0x5b48dcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48dd0000 | 0x5b48dd0000 | 0x5b48ddffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48de0000 | 0x5b48de0000 | 0x5b48deffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b48df0000 | 0x5b48df0000 | 0x5b48dfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48e00000 | 0x5b48e00000 | 0x5b48e07fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48e10000 | 0x5b48e10000 | 0x5b48e10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b48e20000 | 0x5b48e20000 | 0x5b48e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x5b48e30000 | 0x5b49104fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b49110000 | 0x5b49110000 | 0x5b4920ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b49210000 | 0x5b49210000 | 0x5b4930ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b49310000 | 0x5b49310000 | 0x5b4940ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b49410000 | 0x5b49410000 | 0x5b4950ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b49510000 | 0x5b49510000 | 0x5b49697fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005b496a0000 | 0x5b496a0000 | 0x5b49820fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005b49830000 | 0x5b49830000 | 0x5b4ac2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005b4ac30000 | 0x5b4ac30000 | 0x5b4ad5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4ac30000 | 0x5b4ac30000 | 0x5b4ad1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005b4ad20000 | 0x5b4ad20000 | 0x5b4ad20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4ad30000 | 0x5b4ad30000 | 0x5b4ad33fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4ad40000 | 0x5b4ad40000 | 0x5b4ad41fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4ad50000 | 0x5b4ad50000 | 0x5b4ad5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4ad60000 | 0x5b4ad60000 | 0x5b4ae5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4ae60000 | 0x5b4ae60000 | 0x5b4af5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4af60000 | 0x5b4af60000 | 0x5b4afbffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4af60000 | 0x5b4af60000 | 0x5b4af6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4af70000 | 0x5b4af70000 | 0x5b4af7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4af80000 | 0x5b4af80000 | 0x5b4af8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4af90000 | 0x5b4af90000 | 0x5b4af9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4afa0000 | 0x5b4afa0000 | 0x5b4afaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005b4afb0000 | 0x5b4afb0000 | 0x5b4afbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4afc0000 | 0x5b4afc0000 | 0x5b4bfbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4bfc0000 | 0x5b4bfc0000 | 0x5b4bfc0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4bfd0000 | 0x5b4bfd0000 | 0x5b4c05ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c060000 | 0x5b4c060000 | 0x5b4c060fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c060000 | 0x5b4c060000 | 0x5b4c061fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c060000 | 0x5b4c060000 | 0x5b5005ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c070000 | 0x5b4c070000 | 0x5b4c070fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c080000 | 0x5b4c080000 | 0x5b4c081fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c080000 | 0x5b4c080000 | 0x5b4c087fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c090000 | 0x5b4c090000 | 0x5b4c09ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b4c090000 | 0x5b4c090000 | 0x5b5008ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b50060000 | 0x5b50060000 | 0x5b5405ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b50090000 | 0x5b50090000 | 0x5b5408ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b54060000 | 0x5b54060000 | 0x5b54067fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b54070000 | 0x5b54070000 | 0x5b5407ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b54070000 | 0x5b54070000 | 0x5b54077fff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b54070000 | 0x5b5407ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54080000 | 0x5b5408ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b54090000 | 0x5b54090000 | 0x5b5418ffff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b54190000 | 0x5b5419ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b54190000 | 0x5b54190000 | 0x5b54190fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b54190000 | 0x5b54190000 | 0x5b54197fff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b541a0000 | 0x5b541affff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b541a0000 | 0x5b541a0000 | 0x5b541a7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b541a0000 | 0x5b541a0000 | 0x5b541a0fff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b541b0000 | 0x5b541bffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b541c0000 | 0x5b541cffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b541d0000 | 0x5b541d0000 | 0x5b542cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b542d0000 | 0x5b542d0000 | 0x5b542d7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005b542e0000 | 0x5b542e0000 | 0x5b542e7fff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b542f0000 | 0x5b542fffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54300000 | 0x5b5430ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54310000 | 0x5b5431ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54320000 | 0x5b5432ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54330000 | 0x5b5433ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54340000 | 0x5b5434ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54350000 | 0x5b5435ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54360000 | 0x5b5436ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54370000 | 0x5b5437ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54380000 | 0x5b5438ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b54390000 | 0x5b5439ffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b543a0000 | 0x5b543affff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b543b0000 | 0x5b543bffff | Memory Mapped File | Readable |
|
|
|
|
| webcachev01.dat | 0x5b543c0000 | 0x5b543cffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005b543c0000 | 0x5b543c0000 | 0x5b543c7fff | Private Memory | Readable, Writable |
|
|
|
|
| webcachev01.dat | 0x5b543d0000 | 0x5b543dffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00007ff60b7ee000 | 0x7ff60b7ee000 | 0x7ff60b7effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff60b7f0000 | 0x7ff60b7f0000 | 0x7ff60b8effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff60b8f0000 | 0x7ff60b8f0000 | 0x7ff60b912fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff60b913000 | 0x7ff60b913000 | 0x7ff60b914fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b915000 | 0x7ff60b915000 | 0x7ff60b916fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b917000 | 0x7ff60b917000 | 0x7ff60b918fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b919000 | 0x7ff60b919000 | 0x7ff60b91afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b91b000 | 0x7ff60b91b000 | 0x7ff60b91cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b91d000 | 0x7ff60b91d000 | 0x7ff60b91efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60b91f000 | 0x7ff60b91f000 | 0x7ff60b91ffff | Private Memory | Readable, Writable |
|
|
|
|
| dllhost.exe | 0x7ff60bd90000 | 0x7ff60bd96fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| esent.dll | 0x7ffd15360000 | 0x7ffd15610fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sqmapi.dll | 0x7ffd15620000 | 0x7ffd15667fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\thumbnailextractionhost.exe |
| Command Line | C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:50 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x600 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
604
0x
624
0x
628
0x
62C
0x
638
0x
63C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000654a5b0000 | 0x654a5b0000 | 0x654a5cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654a5b0000 | 0x654a5b0000 | 0x654a5bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000654a5c0000 | 0x654a5c0000 | 0x654a5c6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654a5d0000 | 0x654a5d0000 | 0x654a5defff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000654a5e0000 | 0x654a5e0000 | 0x654a65ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654a660000 | 0x654a660000 | 0x654a663fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000654a670000 | 0x654a670000 | 0x654a672fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000654a680000 | 0x654a680000 | 0x654a681fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x654a690000 | 0x654a70dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000654a710000 | 0x654a710000 | 0x654a80ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654a810000 | 0x654a810000 | 0x654a997fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imm32.dll | 0x654a9a0000 | 0x654a9d3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000654a9a0000 | 0x654a9a0000 | 0x654ab7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654a9a0000 | 0x654a9a0000 | 0x654a9a6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654a9b0000 | 0x654a9b0000 | 0x654ab30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000654ab40000 | 0x654ab40000 | 0x654ab40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654ab50000 | 0x654ab50000 | 0x654ab50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654ab60000 | 0x654ab60000 | 0x654ab60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000654ab60000 | 0x654ab60000 | 0x654ab63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000654ab70000 | 0x654ab70000 | 0x654ab7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654ab80000 | 0x654ab80000 | 0x654bf7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| ole32.dll | 0x654bf80000 | 0x654c0f6fff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x654bf80000 | 0x654c039fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000654bf80000 | 0x654bf80000 | 0x654c08ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654bf80000 | 0x654bf80000 | 0x654c06ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000654c070000 | 0x654c070000 | 0x654c076fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654c080000 | 0x654c080000 | 0x654c08ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000654c090000 | 0x654c090000 | 0x654c090fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x654c0a0000 | 0x654c374fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000654c380000 | 0x654c380000 | 0x654c3fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654c400000 | 0x654c400000 | 0x654c47ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654c480000 | 0x654c480000 | 0x654c4fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654c500000 | 0x654c500000 | 0x654c57ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000654c580000 | 0x654c580000 | 0x654c5fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738cce000 | 0x7ff738cce000 | 0x7ff738ccffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff738cd0000 | 0x7ff738cd0000 | 0x7ff738dcffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff738dd0000 | 0x7ff738dd0000 | 0x7ff738df2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff738df5000 | 0x7ff738df5000 | 0x7ff738df5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738df6000 | 0x7ff738df6000 | 0x7ff738df7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738df8000 | 0x7ff738df8000 | 0x7ff738df9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738dfa000 | 0x7ff738dfa000 | 0x7ff738dfbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738dfc000 | 0x7ff738dfc000 | 0x7ff738dfdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738dfe000 | 0x7ff738dfe000 | 0x7ff738dfffff | Private Memory | Readable, Writable |
|
|
|
|
| thumbnailextractionhost.exe | 0x7ff738e70000 | 0x7ff738e7bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe |
| Command Line | "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:49 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x630 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Groups |
|
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
634
0x
688
0x
68C
0x
960
0x
BBC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002defff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00450fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x005f0000 | 0x0066dfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000800000 | 0x00800000 | 0x00980fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000990000 | 0x00990000 | 0x00a4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a50000 | 0x00a50000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a50000 | 0x00a50000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000da0000 | 0x00da0000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| armsvc.exe | 0x013a0000 | 0x013b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x74da0000 | 0x74da8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr90.dll | 0x74db0000 | 0x74e52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x74e60000 | 0x74eb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74ec0000 | 0x74ec8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74ed0000 | 0x74eecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x750a0000 | 0x751edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x75210000 | 0x7521dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75280000 | 0x7534efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75400000 | 0x7554ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75550000 | 0x756cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x759e0000 | 0x75a1dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75a20000 | 0x75b2afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x75b30000 | 0x75bb6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x75bd0000 | 0x75d0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x75bd0000 | 0x75d0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wintrust.dll | 0x75d10000 | 0x75d48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x75d50000 | 0x75e0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x75ea0000 | 0x75f16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x75f20000 | 0x75f60fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75f70000 | 0x77112fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x771c0000 | 0x77270fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77280000 | 0x77387fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x773d0000 | 0x773d8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x773e0000 | 0x77447fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x77450000 | 0x77498fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x774a0000 | 0x77607fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7f07ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0a5000 | 0x7f0a5000 | 0x7f0a7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007f0a8000 | 0x7f0a8000 | 0x7f0a8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007f0aa000 | 0x7f0aa000 | 0x7f0aafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffd1f91ffff | Private Memory | Readable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00007ffd1fac9000 | 0x7ffd1fac9000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:43 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x6a8 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6AC
0x
6C8
0x
6CC
0x
6D0
0x
6D4
0x
6E0
0x
6E4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000007d54360000 | 0x7d54360000 | 0x7d5437ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54360000 | 0x7d54360000 | 0x7d5436ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54370000 | 0x7d54370000 | 0x7d54376fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54380000 | 0x7d54380000 | 0x7d5438efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d54390000 | 0x7d54390000 | 0x7d5448ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54490000 | 0x7d54490000 | 0x7d54493fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d544a0000 | 0x7d544a0000 | 0x7d544a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d544b0000 | 0x7d544b0000 | 0x7d5462ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x7d544b0000 | 0x7d5452dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007d54530000 | 0x7d54530000 | 0x7d5462ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54630000 | 0x7d54630000 | 0x7d546effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54630000 | 0x7d54630000 | 0x7d54636fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54640000 | 0x7d54640000 | 0x7d54640fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007d54650000 | 0x7d54650000 | 0x7d54650fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imm32.dll | 0x7d54660000 | 0x7d54693fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007d54660000 | 0x7d54660000 | 0x7d54660fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54670000 | 0x7d54670000 | 0x7d54670fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54680000 | 0x7d54680000 | 0x7d54680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007d54680000 | 0x7d54680000 | 0x7d54683fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d54690000 | 0x7d54690000 | 0x7d54696fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d546a0000 | 0x7d546a0000 | 0x7d546a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x7d546b0000 | 0x7d546b0fff | Memory Mapped File | Readable |
|
|
|
|
| 4ghbrlq-jktwuq.encrypted.bmp | 0x7d546b0000 | 0x7d546bdfff | Memory Mapped File | Readable |
|
|
|
|
| 7tly.encrypted.png | 0x7d546b0000 | 0x7d546b5fff | Memory Mapped File | Readable |
|
|
|
|
| b1drbf6bjih2t5r.encrypted.bmp | 0x7d546b0000 | 0x7d546b9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007d546b0000 | 0x7d546b0000 | 0x7d546b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d546c0000 | 0x7d546c0000 | 0x7d546c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x7d546d0000 | 0x7d546d3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007d546d0000 | 0x7d546d0000 | 0x7d546d2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d546e0000 | 0x7d546e0000 | 0x7d546effff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x7d546f0000 | 0x7d547a9fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x7d546f0000 | 0x7d549c4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007d549d0000 | 0x7d549d0000 | 0x7d54acffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54ad0000 | 0x7d54ad0000 | 0x7d54bcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54bd0000 | 0x7d54bd0000 | 0x7d54ccffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d54cd0000 | 0x7d54cd0000 | 0x7d54dcffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d54dd0000 | 0x7d54dd0000 | 0x7d54f57fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007d54f60000 | 0x7d54f60000 | 0x7d550e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007d550f0000 | 0x7d550f0000 | 0x7d564effff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d564f0000 | 0x7d564f0000 | 0x7d5665ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d564f0000 | 0x7d564f0000 | 0x7d565dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| djg5lkzha.encrypted.bmp | 0x7d565e0000 | 0x7d565f7fff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db | 0x7d565e0000 | 0x7d565f6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007d56600000 | 0x7d56600000 | 0x7d56600fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007d56610000 | 0x7d56610000 | 0x7d56610fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| frzbojgkva5c6myj.encrypted.mp4 | 0x7d56620000 | 0x7d56636fff | Memory Mapped File | Readable |
|
|
|
|
| k9uoo8fw7r.encrypted.jpg | 0x7d56620000 | 0x7d56636fff | Memory Mapped File | Readable |
|
|
|
|
| kqg5xtni4dupero o1m.encrypted.jpg | 0x7d56620000 | 0x7d56635fff | Memory Mapped File | Readable |
|
|
|
|
| n0ie6v_g.encrypted.avi | 0x7d56620000 | 0x7d56623fff | Memory Mapped File | Readable |
|
|
|
|
| ostre2ekexrlom6.encrypted.jpg | 0x7d56620000 | 0x7d56623fff | Memory Mapped File | Readable |
|
|
|
|
| uk 6ek_ge.encrypted.png | 0x7d56620000 | 0x7d56626fff | Memory Mapped File | Readable |
|
|
|
|
| ur9w.encrypted.mp3 | 0x7d56620000 | 0x7d5662ffff | Memory Mapped File | Readable |
|
|
|
|
| xe_1j.encrypted.avi | 0x7d56620000 | 0x7d56627fff | Memory Mapped File | Readable |
|
|
|
|
| ypmyrw0yu.encrypted.mp3 | 0x7d56620000 | 0x7d56633fff | Memory Mapped File | Readable |
|
|
|
|
| zpipq.encrypted.avi | 0x7d56620000 | 0x7d56625fff | Memory Mapped File | Readable |
|
|
|
|
| 4ghbrlq-jktwuq.encrypted.bmp | 0x7d56620000 | 0x7d5662dfff | Memory Mapped File | Readable |
|
|
|
|
| 7tly.encrypted.png | 0x7d56620000 | 0x7d56625fff | Memory Mapped File | Readable |
|
|
|
|
| b1drbf6bjih2t5r.encrypted.bmp | 0x7d56620000 | 0x7d56629fff | Memory Mapped File | Readable |
|
|
|
|
| djg5lkzha.encrypted.bmp | 0x7d56620000 | 0x7d56637fff | Memory Mapped File | Readable |
|
|
|
|
| cchnli nseui.encrypted.mp3 | 0x7d56620000 | 0x7d56621fff | Memory Mapped File | Readable |
|
|
|
|
| jmyon8-h.mp3 | 0x7d56620000 | 0x7d56620fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007d56650000 | 0x7d56650000 | 0x7d5665ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007d56660000 | 0x7d56660000 | 0x7d5675ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0x7d56760000 | 0x7d568d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007d56760000 | 0x7d56760000 | 0x7d56b59fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007d56b60000 | 0x7d56b60000 | 0x7d56c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bb4e000 | 0x7ff60bb4e000 | 0x7ff60bb4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff60bb50000 | 0x7ff60bb50000 | 0x7ff60bc4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff60bc50000 | 0x7ff60bc50000 | 0x7ff60bc72fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff60bc74000 | 0x7ff60bc74000 | 0x7ff60bc75fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bc76000 | 0x7ff60bc76000 | 0x7ff60bc77fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bc78000 | 0x7ff60bc78000 | 0x7ff60bc78fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bc7a000 | 0x7ff60bc7a000 | 0x7ff60bc7bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bc7c000 | 0x7ff60bc7c000 | 0x7ff60bc7dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff60bc7e000 | 0x7ff60bc7e000 | 0x7ff60bc7ffff | Private Memory | Readable, Writable |
|
|
|
|
| dllhost.exe | 0x7ff60bd90000 | 0x7ff60bd96fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mfsrcsnk.dll | 0x7ffd137c0000 | 0x7ffd138a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtworkq.dll | 0x7ffd13a00000 | 0x7ffd13a23fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mfplat.dll | 0x7ffd13ab0000 | 0x7ffd13b83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mfmp4srcsnk.dll | 0x7ffd13b90000 | 0x7ffd13c55fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| thumbcache.dll | 0x7ffd15d80000 | 0x7ffd15da9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| photometadatahandler.dll | 0x7ffd160a0000 | 0x7ffd1610ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| actxprxy.dll | 0x7ffd167a0000 | 0x7ffd16a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x7ffd19d80000 | 0x7ffd19f12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x7ffd1b950000 | 0x7ffd1b9dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x7ffd1db40000 | 0x7ffd1dd15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:40 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x7b4 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7B8
0x
7D8
0x
7E4
0x
7EC
0x
670
0x
66C
0x
718
0x
2B8
0x
810
0x
814
0x
820
0x
828
0x
830
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000006385c40000 | 0x6385c40000 | 0x6385c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006385c40000 | 0x6385c40000 | 0x6385c4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385c50000 | 0x6385c50000 | 0x6385c56fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006385c60000 | 0x6385c60000 | 0x6385c6efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006385c70000 | 0x6385c70000 | 0x6385ceffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006385cf0000 | 0x6385cf0000 | 0x6385cf3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006385d00000 | 0x6385d00000 | 0x6385d00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006385d10000 | 0x6385d10000 | 0x6385d11fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385d20000 | 0x6385d20000 | 0x6385e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385d20000 | 0x6385d20000 | 0x6385d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385d20000 | 0x6385d20000 | 0x6385d26fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006385d30000 | 0x6385d30000 | 0x6385d32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006385d40000 | 0x6385d40000 | 0x6385d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006385d50000 | 0x6385d50000 | 0x6385d50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385d60000 | 0x6385d60000 | 0x6385d60fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006385d70000 | 0x6385d70000 | 0x6385e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x6385e70000 | 0x6385eedfff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x6385ef0000 | 0x6385fa9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000006385ef0000 | 0x6385ef0000 | 0x6386077fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006386080000 | 0x6386080000 | 0x6386200fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006386210000 | 0x6386210000 | 0x63862cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000063862d0000 | 0x63862d0000 | 0x63866c9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000063866d0000 | 0x63866d0000 | 0x63866d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000063866e0000 | 0x63866e0000 | 0x638675ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386760000 | 0x6386760000 | 0x63867dffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x63867e0000 | 0x6386ab4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006386ac0000 | 0x6386ac0000 | 0x6386b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006386b40000 | 0x6386b40000 | 0x6386b40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006386b50000 | 0x6386b50000 | 0x6386b50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006386b60000 | 0x6386b60000 | 0x6386bdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386be0000 | 0x6386be0000 | 0x6386cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386ce0000 | 0x6386ce0000 | 0x6386d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386d60000 | 0x6386d60000 | 0x6386d60fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386d60000 | 0x6386d60000 | 0x6386ddffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386de0000 | 0x6386de0000 | 0x6386e5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386e60000 | 0x6386e60000 | 0x6386edffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386ee0000 | 0x6386ee0000 | 0x6386f5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006386f60000 | 0x6386f60000 | 0x6386fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617954000 | 0x7ff617954000 | 0x7ff617955fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617956000 | 0x7ff617956000 | 0x7ff617957fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617958000 | 0x7ff617958000 | 0x7ff617959fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61795a000 | 0x7ff61795a000 | 0x7ff61795bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61795c000 | 0x7ff61795c000 | 0x7ff61795dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff61795e000 | 0x7ff61795e000 | 0x7ff61795ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff617960000 | 0x7ff617960000 | 0x7ff617a5ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff617a60000 | 0x7ff617a60000 | 0x7ff617a82fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff617a84000 | 0x7ff617a84000 | 0x7ff617a85fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a86000 | 0x7ff617a86000 | 0x7ff617a87fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a88000 | 0x7ff617a88000 | 0x7ff617a89fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a8a000 | 0x7ff617a8a000 | 0x7ff617a8bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a8c000 | 0x7ff617a8c000 | 0x7ff617a8dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff617a8e000 | 0x7ff617a8e000 | 0x7ff617a8efff | Private Memory | Readable, Writable |
|
|
|
|
| svchost.exe | 0x7ff618320000 | 0x7ff61832bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ssdpsrv.dll | 0x7ffd122e0000 | 0x7ffd1231efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| timebrokerserver.dll | 0x7ffd131a0000 | 0x7ffd131defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| twinapi.dll | 0x7ffd17840000 | 0x7ffd178f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x7ffd18180000 | 0x7ffd18198fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc6.dll | 0x7ffd181a0000 | 0x7ffd181b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bi.dll | 0x7ffd19f40000 | 0x7ffd19f4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| firewallapi.dll | 0x7ffd1bbd0000 | 0x7ffd1bc85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x7ffd1c5e0000 | 0x7ffd1c637fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:37, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:38 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x3b4 |
| Parent PID | 0x320 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2B8
0x
718
0x
6F8
0x
714
0x
740
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000c4913e0000 | 0xc4913e0000 | 0xc4913fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c4913e0000 | 0xc4913e0000 | 0xc4913effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000c4913f0000 | 0xc4913f0000 | 0xc4913f6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c491400000 | 0xc491400000 | 0xc49140efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c491410000 | 0xc491410000 | 0xc49148ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c491490000 | 0xc491490000 | 0xc491493fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c4914a0000 | 0xc4914a0000 | 0xc4914a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c4914b0000 | 0xc4914b0000 | 0xc4914b1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xc4914c0000 | 0xc49153dfff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0xc491540000 | 0xc4915f9fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c491540000 | 0xc491540000 | 0xc491546fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c491550000 | 0xc491550000 | 0xc4915cffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xc4915d0000 | 0xc491603fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000c4915d0000 | 0xc4915d0000 | 0xc4915d2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c4915e0000 | 0xc4915e0000 | 0xc4915e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskhost.exe.mui | 0xc4915f0000 | 0xc4915f0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000c491600000 | 0xc491600000 | 0xc491600fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c491610000 | 0xc491610000 | 0xc491610fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c491620000 | 0xc491620000 | 0xc491620fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c491620000 | 0xc491620000 | 0xc491623fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c491630000 | 0xc491630000 | 0xc491636fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c491640000 | 0xc491640000 | 0xc491640fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c491650000 | 0xc491650000 | 0xc491650fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c491660000 | 0xc491660000 | 0xc491662fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c4916a0000 | 0xc4916a0000 | 0xc49179ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c4917a0000 | 0xc4917a0000 | 0xc49191ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000c4917a0000 | 0xc4917a0000 | 0xc49188ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c491890000 | 0xc491890000 | 0xc49190ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c491910000 | 0xc491910000 | 0xc49191ffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0xc491920000 | 0xc491a96fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000c491920000 | 0xc491920000 | 0xc491aa7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c491ab0000 | 0xc491ab0000 | 0xc491c30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000c491c40000 | 0xc491c40000 | 0xc49303ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000c493040000 | 0xc493040000 | 0xc49322ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c493040000 | 0xc493040000 | 0xc4930bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000c493220000 | 0xc493220000 | 0xc49322ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff7f3c80000 | 0x7ff7f3c80000 | 0x7ff7f3d7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff7f3d80000 | 0x7ff7f3d80000 | 0x7ff7f3da2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff7f3da6000 | 0x7ff7f3da6000 | 0x7ff7f3da7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f3da8000 | 0x7ff7f3da8000 | 0x7ff7f3da9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f3daa000 | 0x7ff7f3daa000 | 0x7ff7f3dabfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f3dac000 | 0x7ff7f3dac000 | 0x7ff7f3dacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff7f3dae000 | 0x7ff7f3dae000 | 0x7ff7f3daffff | Private Memory | Readable, Writable |
|
|
|
|
| taskhost.exe | 0x7ff7f4a20000 | 0x7ff7f4a35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| settingsynccore.dll | 0x7ffd18290000 | 0x7ffd1834bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| idstore.dll | 0x7ffd18d30000 | 0x7ffd18d53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x7ffd18ec0000 | 0x7ffd18eddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\mobsync.exe |
| Command Line | C:\Windows\System32\mobsync.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:40, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:35 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x714 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
740
0x
238
0x
7AC
0x
3B4
0x
664
0x
438
0x
804
0x
808
0x
80C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000f500000000 | 0xf500000000 | 0xf50016ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f500000000 | 0xf500000000 | 0xf500000fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f500000000 | 0xf500000000 | 0xf5000effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f5000f0000 | 0xf5000f0000 | 0xf5000f3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f500100000 | 0xf500100000 | 0xf500106fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f500110000 | 0xf500110000 | 0xf500111fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f500120000 | 0xf500120000 | 0xf500122fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f500130000 | 0xf500130000 | 0xf500130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| cscui.dll.mui | 0xf500140000 | 0xf500148fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f500160000 | 0xf500160000 | 0xf50016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f500170000 | 0xf500170000 | 0xf5001effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f5001f0000 | 0xf5001f0000 | 0xf50026ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f500270000 | 0xf500270000 | 0xf500669fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f500670000 | 0xf500670000 | 0xf5006effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57df60000 | 0xf57df60000 | 0xf57df7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f57df60000 | 0xf57df60000 | 0xf57df6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57df70000 | 0xf57df70000 | 0xf57df76fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f57df80000 | 0xf57df80000 | 0xf57df8efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f57df90000 | 0xf57df90000 | 0xf57e00ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f57e010000 | 0xf57e010000 | 0xf57e013fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f57e020000 | 0xf57e020000 | 0xf57e022fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f57e030000 | 0xf57e030000 | 0xf57e031fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xf57e040000 | 0xf57e0bdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f57e0c0000 | 0xf57e0c0000 | 0xf57e20ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57e0c0000 | 0xf57e0c0000 | 0xf57e0c6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xf57e0d0000 | 0xf57e103fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f57e0d0000 | 0xf57e0d0000 | 0xf57e0d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57e0e0000 | 0xf57e0e0000 | 0xf57e0e0fff | Private Memory | Readable, Writable |
|
|
|
|
| oleaut32.dll | 0xf57e0f0000 | 0xf57e1a5fff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0xf57e0f0000 | 0xf57e1a9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000f57e0f0000 | 0xf57e0f0000 | 0xf57e0f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f57e100000 | 0xf57e100000 | 0xf57e100fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f57e110000 | 0xf57e110000 | 0xf57e18ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f57e190000 | 0xf57e190000 | 0xf57e192fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0xf57e1a0000 | 0xf57e1a0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000f57e1b0000 | 0xf57e1b0000 | 0xf57e1b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000f57e200000 | 0xf57e200000 | 0xf57e20ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57e220000 | 0xf57e220000 | 0xf57e31ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000f57e320000 | 0xf57e320000 | 0xf57e4a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f57e4b0000 | 0xf57e4b0000 | 0xf57e630fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000f57e640000 | 0xf57e640000 | 0xf57fa3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0xf57fa40000 | 0xf57fd14fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000f57fd20000 | 0xf57fd20000 | 0xf57fd9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57fda0000 | 0xf57fda0000 | 0xf57fe1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57fe20000 | 0xf57fe20000 | 0xf57fe9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000f57fea0000 | 0xf57fea0000 | 0xf57ff1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a1ea000 | 0x7ff63a1ea000 | 0x7ff63a1ebfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a1ec000 | 0x7ff63a1ec000 | 0x7ff63a1edfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a1ee000 | 0x7ff63a1ee000 | 0x7ff63a1effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff63a1f0000 | 0x7ff63a1f0000 | 0x7ff63a2effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff63a2f0000 | 0x7ff63a2f0000 | 0x7ff63a312fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff63a313000 | 0x7ff63a313000 | 0x7ff63a314fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a315000 | 0x7ff63a315000 | 0x7ff63a316fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a317000 | 0x7ff63a317000 | 0x7ff63a318fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a319000 | 0x7ff63a319000 | 0x7ff63a31afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a31b000 | 0x7ff63a31b000 | 0x7ff63a31cfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a31d000 | 0x7ff63a31d000 | 0x7ff63a31efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63a31f000 | 0x7ff63a31f000 | 0x7ff63a31ffff | Private Memory | Readable, Writable |
|
|
|
|
| mobsync.exe | 0x7ff63a5a0000 | 0x7ff63a5b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| syncinfrastructure.dll | 0x7ffd12040000 | 0x7ffd120a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| synccenter.dll | 0x7ffd12830000 | 0x7ffd12a61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cscapi.dll | 0x7ffd152c0000 | 0x7ffd152cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| actxprxy.dll | 0x7ffd167a0000 | 0x7ffd16a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7ffd19f70000 | 0x7ffd19f80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cscdll.dll | 0x7ffd1a960000 | 0x7ffd1a96bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cscui.dll | 0x7ffd1a9e0000 | 0x7ffd1aa83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x7ffd1c580000 | 0x7ffd1c5d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x7ffd1db40000 | 0x7ffd1dd15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\audiodg.exe |
| Command Line | C:\Windows\system32\AUDIODG.EXE 0x7d8 |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:23 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8b8 |
| Parent PID | 0x304 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8BC
0x
8C0
0x
8C4
0x
8C8
0x
8CC
0x
8D4
0x
8D8
0x
8DC
0x
8E4
0x
8E8
0x
8FC
0x
900
0x
908
0x
90C
0x
920
0x
924
0x
92C
0x
930
0x
944
0x
948
0x
950
0x
954
0x
96C
0x
970
0x
978
0x
97C
0x
990
0x
994
0x
99C
0x
9A0
0x
9B4
0x
9B8
0x
9C0
0x
9C4
0x
9F4
0x
9F8
0x
A00
0x
A04
0x
A2C
0x
A30
0x
A38
0x
A3C
0x
A50
0x
A54
0x
A5C
0x
A60
0x
A74
0x
A78
0x
A80
0x
A84
0x
A98
0x
A9C
0x
AA4
0x
AA8
0x
ABC
0x
AC0
0x
AC8
0x
ACC
0x
AE0
0x
AE4
0x
AEC
0x
AF0
0x
B04
0x
B08
0x
B10
0x
B14
0x
B28
0x
B2C
0x
B34
0x
B38
0x
B64
0x
B6C
0x
B70
0x
7AC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000cbc13c0000 | 0xcbc13c0000 | 0xcbc13dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc13c0000 | 0xcbc13c0000 | 0xcbc13cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc13d0000 | 0xcbc13d0000 | 0xcbc13d6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc13e0000 | 0xcbc13e0000 | 0xcbc13eefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cbc13f0000 | 0xcbc13f0000 | 0xcbc146ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xcbc1470000 | 0xcbc14edfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cbc14f0000 | 0xcbc14f0000 | 0xcbc15bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc14f0000 | 0xcbc14f0000 | 0xcbc14f6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc1500000 | 0xcbc1500000 | 0xcbc1501fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc1510000 | 0xcbc1510000 | 0xcbc158ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc1590000 | 0xcbc1590000 | 0xcbc1592fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cbc15a0000 | 0xcbc15a0000 | 0xcbc15a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc15b0000 | 0xcbc15b0000 | 0xcbc15bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc15c0000 | 0xcbc15c0000 | 0xcbc15c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc15d0000 | 0xcbc15d0000 | 0xcbc15d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc15e0000 | 0xcbc15e0000 | 0xcbc15e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cbc15f0000 | 0xcbc15f0000 | 0xcbc15f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cbc1600000 | 0xcbc1600000 | 0xcbc1601fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc1610000 | 0xcbc1610000 | 0xcbc161ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x000000cbc1620000 | 0xcbc1620000 | 0xcbc1621fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc1630000 | 0xcbc1630000 | 0xcbc172ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xcbc1730000 | 0xcbc17e9fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cbc1730000 | 0xcbc1730000 | 0xcbc1931fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc1940000 | 0xcbc1940000 | 0xcbc1ac7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cbc1ad0000 | 0xcbc1ad0000 | 0xcbc1c50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cbc1c60000 | 0xcbc1c60000 | 0xcbc1d1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cbc1d20000 | 0xcbc1d20000 | 0xcbc1e57fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cbc1e60000 | 0xcbc1e60000 | 0xcbc1edffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xcbc1ee0000 | 0xcbc21b4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cbc21c0000 | 0xcbc21c0000 | 0xcbc223ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2240000 | 0xcbc2240000 | 0xcbc22bffff | Private Memory | Readable, Writable |
|
|
|
|
| ole32.dll | 0xcbc22c0000 | 0xcbc2436fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cbc22c0000 | 0xcbc22c0000 | 0xcbc24c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc24d0000 | 0xcbc24d0000 | 0xcbc24e1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc24f0000 | 0xcbc24f0000 | 0xcbc24f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2500000 | 0xcbc2500000 | 0xcbc2500fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2510000 | 0xcbc2510000 | 0xcbc2511fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2520000 | 0xcbc2520000 | 0xcbc2520fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2530000 | 0xcbc2530000 | 0xcbc2531fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2540000 | 0xcbc2540000 | 0xcbc2581fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2590000 | 0xcbc2590000 | 0xcbc260ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2610000 | 0xcbc2610000 | 0xcbc2611fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2620000 | 0xcbc2620000 | 0xcbc2629fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc2630000 | 0xcbc2630000 | 0xcbc26affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc26b0000 | 0xcbc26b0000 | 0xcbc26b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cbc26c0000 | 0xcbc26c0000 | 0xcbc26c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc26d0000 | 0xcbc26d0000 | 0xcbc27cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cbc27d0000 | 0xcbc27d0000 | 0xcbc284ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bc8c000 | 0x7ff63bc8c000 | 0x7ff63bc8dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bc8e000 | 0x7ff63bc8e000 | 0x7ff63bc8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff63bc90000 | 0x7ff63bc90000 | 0x7ff63bd8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff63bd90000 | 0x7ff63bd90000 | 0x7ff63bdb2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff63bdb3000 | 0x7ff63bdb3000 | 0x7ff63bdb4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdb5000 | 0x7ff63bdb5000 | 0x7ff63bdb6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdb7000 | 0x7ff63bdb7000 | 0x7ff63bdb8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdb9000 | 0x7ff63bdb9000 | 0x7ff63bdbafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdbb000 | 0x7ff63bdbb000 | 0x7ff63bdbcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdbd000 | 0x7ff63bdbd000 | 0x7ff63bdbefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff63bdbf000 | 0x7ff63bdbf000 | 0x7ff63bdbffff | Private Memory | Readable, Writable |
|
|
|
|
| audiodg.exe | 0x7ff63bff0000 | 0x7ff63c02ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wmalfxgfxdsp.dll | 0x7ffd11b90000 | 0x7ffd11d43fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mfplat.dll | 0x7ffd137d0000 | 0x7ffd138a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtworkq.dll | 0x7ffd13a00000 | 0x7ffd13a23fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audiokse.dll | 0x7ffd13af0000 | 0x7ffd13b4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audioeng.dll | 0x7ffd13b50000 | 0x7ffd13bc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| audioses.dll | 0x7ffd15900000 | 0x7ffd15975fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| avrt.dll | 0x7ffd19d70000 | 0x7ffd19d7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mmdevapi.dll | 0x7ffd1ade0000 | 0x7ffd1ae40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x7ffd1cc50000 | 0x7ffd1cc94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:22 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8ec |
| Parent PID | 0x450 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8F0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000005ead530000 | 0x5ead530000 | 0x5ead54ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005ead530000 | 0x5ead530000 | 0x5ead53ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005ead540000 | 0x5ead540000 | 0x5ead546fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005ead550000 | 0x5ead550000 | 0x5ead55efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005ead560000 | 0x5ead560000 | 0x5ead95ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005ead960000 | 0x5ead960000 | 0x5ead963fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005ead970000 | 0x5ead970000 | 0x5ead971fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005ead980000 | 0x5ead980000 | 0x5ead981fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005ead990000 | 0x5ead990000 | 0x5ead996fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005ead9a0000 | 0x5ead9a0000 | 0x5ead9a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005ead9b0000 | 0x5ead9b0000 | 0x5eaddaffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x5eaddb0000 | 0x5eade2dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005eade30000 | 0x5eade30000 | 0x5eade9ffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x5eade30000 | 0x5eade63fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005eade30000 | 0x5eade30000 | 0x5eade30fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x5eade40000 | 0x5eade40fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000005eade40000 | 0x5eade40000 | 0x5eade4ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005eade50000 | 0x5eade50000 | 0x5eade51fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eade60000 | 0x5eade60000 | 0x5eade60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eade60000 | 0x5eade60000 | 0x5eade63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005eade70000 | 0x5eade70000 | 0x5eade76fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005eade80000 | 0x5eade80000 | 0x5eade80fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000005eade90000 | 0x5eade90000 | 0x5eade9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005eadea0000 | 0x5eadea0000 | 0x5eae027fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eae030000 | 0x5eae030000 | 0x5eae1b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eae1c0000 | 0x5eae1c0000 | 0x5eaf5bffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x5eaf5c0000 | 0x5eaf679fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000005eaf5c0000 | 0x5eaf5c0000 | 0x5eaf6affff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000005eaf6b0000 | 0x5eaf6b0000 | 0x5eaf7affff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x5eaf7b0000 | 0x5eaf8b0fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x5eaf7b0000 | 0x5eafa84fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000005eafa90000 | 0x5eafa90000 | 0x5eafa92fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eafa90000 | 0x5eafa90000 | 0x5eafa90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000005eafaa0000 | 0x5eafaa0000 | 0x5eafaa0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005eafab0000 | 0x5eafab0000 | 0x5eaffa1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x5eaffb0000 | 0x5eb0e1ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000005eb0e20000 | 0x5eb0e20000 | 0x5eb1037fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005eb1040000 | 0x5eb1040000 | 0x5eb1040fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imageres.dll | 0x5eb1040000 | 0x5eb3ed5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000005eb3ee0000 | 0x5eb3ee0000 | 0x5eb3ee2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eb3ef0000 | 0x5eb3ef0000 | 0x5eb3ef0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000005eb3f00000 | 0x5eb3f00000 | 0x5eb42f9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000005eb4300000 | 0x5eb4300000 | 0x5eb4343fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce630000 | 0x7ff6ce630000 | 0x7ff6ce72ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce730000 | 0x7ff6ce730000 | 0x7ff6ce752fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce75d000 | 0x7ff6ce75d000 | 0x7ff6ce75efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce75f000 | 0x7ff6ce75f000 | 0x7ff6ce75ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:19 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x910 |
| Parent PID | 0x8ec (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
914
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000be96460000 | 0xbe96460000 | 0xbe9647ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96460000 | 0xbe96460000 | 0xbe9646ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96470000 | 0xbe96470000 | 0xbe96476fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96480000 | 0xbe96480000 | 0xbe9648efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be96490000 | 0xbe96490000 | 0xbe9688ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96890000 | 0xbe96890000 | 0xbe96893fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be968a0000 | 0xbe968a0000 | 0xbe968a1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be968b0000 | 0xbe968b0000 | 0xbe968b1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xbe968c0000 | 0xbe9693dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000be96940000 | 0xbe96940000 | 0xbe96946fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96950000 | 0xbe96950000 | 0xbe96950fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96960000 | 0xbe96960000 | 0xbe96960fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xbe96970000 | 0xbe96970fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be96970000 | 0xbe96970000 | 0xbe96970fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be96970000 | 0xbe96970000 | 0xbe96973fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be96980000 | 0xbe96980000 | 0xbe96d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96d80000 | 0xbe96d80000 | 0xbe96e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xbe96d80000 | 0xbe96db3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be96d80000 | 0xbe96d80000 | 0xbe96d81fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be96d90000 | 0xbe96d90000 | 0xbe96d96fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96da0000 | 0xbe96da0000 | 0xbe96da0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96db0000 | 0xbe96db0000 | 0xbe96db2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be96db0000 | 0xbe96db0000 | 0xbe96db0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96dc0000 | 0xbe96dc0000 | 0xbe96dc0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96dd0000 | 0xbe96dd0000 | 0xbe96dd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be96dd0000 | 0xbe96dd0000 | 0xbe96dd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be96de0000 | 0xbe96de0000 | 0xbe96de0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000be96e30000 | 0xbe96e30000 | 0xbe96e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000be96e40000 | 0xbe96e40000 | 0xbe96fc7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be96fd0000 | 0xbe96fd0000 | 0xbe97150fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be97160000 | 0xbe97160000 | 0xbe9855ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be98560000 | 0xbe98560000 | 0xbe9870ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xbe98560000 | 0xbe98619fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be98560000 | 0xbe98560000 | 0xbe9864ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000be98650000 | 0xbe98650000 | 0xbe98693fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000be98700000 | 0xbe98700000 | 0xbe9870ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000be98710000 | 0xbe98710000 | 0xbe9880ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xbe98810000 | 0xbe98910fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xbe98810000 | 0xbe98ae4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be98af0000 | 0xbe98af0000 | 0xbe98fe1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xbe98ff0000 | 0xbe99e5ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be99e60000 | 0xbe99e60000 | 0xbe9a077fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xbe9a080000 | 0xbe9cf15fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000be9cf20000 | 0xbe9cf20000 | 0xbe9d319fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000be9d320000 | 0xbe9d320000 | 0xbe9d428fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ceb10000 | 0x7ff6ceb10000 | 0x7ff6cec0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cec10000 | 0x7ff6cec10000 | 0x7ff6cec32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cec35000 | 0x7ff6cec35000 | 0x7ff6cec35fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cec3e000 | 0x7ff6cec3e000 | 0x7ff6cec3ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:16 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0x910 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
938
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000ebcbb40000 | 0xebcbb40000 | 0xebcbb5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcbb40000 | 0xebcbb40000 | 0xebcbb4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcbb50000 | 0xebcbb50000 | 0xebcbb56fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcbb60000 | 0xebcbb60000 | 0xebcbb6efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ebcbb70000 | 0xebcbb70000 | 0xebcbf6ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcbf70000 | 0xebcbf70000 | 0xebcbf73fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcbf80000 | 0xebcbf80000 | 0xebcbf81fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ebcbf90000 | 0xebcbf90000 | 0xebcbf91fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcbfa0000 | 0xebcbfa0000 | 0xebcbfa6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcbfb0000 | 0xebcbfb0000 | 0xebcbfb0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcbfc0000 | 0xebcbfc0000 | 0xebcbfc0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xebcbfd0000 | 0xebcbfd0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebcbfd0000 | 0xebcbfd0000 | 0xebcbfd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcbfd0000 | 0xebcbfd0000 | 0xebcbfd3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ebcbfe0000 | 0xebcbfe0000 | 0xebcc3dffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xebcc3e0000 | 0xebcc45dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000ebcc460000 | 0xebcc460000 | 0xebcc5dffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xebcc460000 | 0xebcc493fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebcc460000 | 0xebcc460000 | 0xebcc461fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xebcc470000 | 0xebcc529fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebcc470000 | 0xebcc470000 | 0xebcc55ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ebcc560000 | 0xebcc560000 | 0xebcc566fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcc570000 | 0xebcc570000 | 0xebcc570fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcc580000 | 0xebcc580000 | 0xebcc582fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcc580000 | 0xebcc580000 | 0xebcc580fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcc590000 | 0xebcc590000 | 0xebcc590fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcc5a0000 | 0xebcc5a0000 | 0xebcc5a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcc5a0000 | 0xebcc5a0000 | 0xebcc5a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcc5b0000 | 0xebcc5b0000 | 0xebcc5b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcc5d0000 | 0xebcc5d0000 | 0xebcc5dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcc5e0000 | 0xebcc5e0000 | 0xebcc767fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcc770000 | 0xebcc770000 | 0xebcc8f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ebcc900000 | 0xebcc900000 | 0xebcdcfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ebcdd00000 | 0xebcdd00000 | 0xebcde6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcdd00000 | 0xebcdd00000 | 0xebcddfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ebcde00000 | 0xebcde00000 | 0xebcde43fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ebcde60000 | 0xebcde60000 | 0xebcde6ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xebcde70000 | 0xebcdf70fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xebcde70000 | 0xebce144fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebce150000 | 0xebce150000 | 0xebce641fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xebce650000 | 0xebcf4bffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebcf4c0000 | 0xebcf4c0000 | 0xebcf6d7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xebcf6e0000 | 0xebd2575fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ebd2580000 | 0xebd2580000 | 0xebd2979fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce580000 | 0x7ff6ce580000 | 0x7ff6ce67ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce680000 | 0x7ff6ce680000 | 0x7ff6ce6a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce6ad000 | 0x7ff6ce6ad000 | 0x7ff6ce6aefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce6af000 | 0x7ff6ce6af000 | 0x7ff6ce6affff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:14 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x958 |
| Parent PID | 0x934 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
95C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000007c5f6e0000 | 0x7c5f6e0000 | 0x7c5f6fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c5f6e0000 | 0x7c5f6e0000 | 0x7c5f6effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c5f6f0000 | 0x7c5f6f0000 | 0x7c5f6f6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c5f700000 | 0x7c5f700000 | 0x7c5f70efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007c5f710000 | 0x7c5f710000 | 0x7c5fb0ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c5fb10000 | 0x7c5fb10000 | 0x7c5fb13fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c5fb20000 | 0x7c5fb20000 | 0x7c5fb21fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007c5fb30000 | 0x7c5fb30000 | 0x7c5fb31fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x7c5fb40000 | 0x7c5fbbdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007c5fbc0000 | 0x7c5fbc0000 | 0x7c5fbc6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x7c5fbd0000 | 0x7c5fc03fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000007c5fbd0000 | 0x7c5fbd0000 | 0x7c5fbd0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c5fbe0000 | 0x7c5fbe0000 | 0x7c5fbe0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x7c5fbf0000 | 0x7c5fbf0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007c5fbf0000 | 0x7c5fbf0000 | 0x7c5fbf0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c5fbf0000 | 0x7c5fbf0000 | 0x7c5fbf3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c5fc00000 | 0x7c5fc00000 | 0x7c5fc01fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007c5fc10000 | 0x7c5fc10000 | 0x7c5fc16fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c5fc20000 | 0x7c5fc20000 | 0x7c5fc20fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c5fc30000 | 0x7c5fc30000 | 0x7c6002ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c60030000 | 0x7c60030000 | 0x7c601effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c60030000 | 0x7c60030000 | 0x7c601b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c601c0000 | 0x7c601c0000 | 0x7c601c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c601c0000 | 0x7c601c0000 | 0x7c601c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c601d0000 | 0x7c601d0000 | 0x7c601d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c601e0000 | 0x7c601e0000 | 0x7c601effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c601f0000 | 0x7c601f0000 | 0x7c60370fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c60380000 | 0x7c60380000 | 0x7c6177ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007c61780000 | 0x7c61780000 | 0x7c617cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000007c61780000 | 0x7c61780000 | 0x7c61780fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c61780000 | 0x7c61780000 | 0x7c61782fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c61790000 | 0x7c61790000 | 0x7c61790fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c617c0000 | 0x7c617c0000 | 0x7c617cffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x7c617d0000 | 0x7c61889fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007c617d0000 | 0x7c617d0000 | 0x7c618bffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000007c618c0000 | 0x7c618c0000 | 0x7c619bffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x7c619c0000 | 0x7c61ac0fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x7c619c0000 | 0x7c61c94fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007c61ca0000 | 0x7c61ca0000 | 0x7c62191fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x7c621a0000 | 0x7c6300ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007c63010000 | 0x7c63010000 | 0x7c63227fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x7c63230000 | 0x7c660c5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000007c660d0000 | 0x7c660d0000 | 0x7c664c9fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000007c664d0000 | 0x7c664d0000 | 0x7c66513fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000007c66520000 | 0x7c66520000 | 0x7c6662efff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce910000 | 0x7ff6ce910000 | 0x7ff6cea0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cea10000 | 0x7ff6cea10000 | 0x7ff6cea32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cea34000 | 0x7ff6cea34000 | 0x7ff6cea34fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cea3e000 | 0x7ff6cea3e000 | 0x7ff6cea3ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:11 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x958 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000ad711d0000 | 0xad711d0000 | 0xad711effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad711d0000 | 0xad711d0000 | 0xad711dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad711e0000 | 0xad711e0000 | 0xad711e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad711f0000 | 0xad711f0000 | 0xad711fefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ad71200000 | 0xad71200000 | 0xad715fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad71600000 | 0xad71600000 | 0xad71603fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71610000 | 0xad71610000 | 0xad71611fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ad71620000 | 0xad71620000 | 0xad71621fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xad71630000 | 0xad716adfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000ad716b0000 | 0xad716b0000 | 0xad716b6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xad716c0000 | 0xad716f3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000ad716c0000 | 0xad716c0000 | 0xad716c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad716d0000 | 0xad716d0000 | 0xad716d0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xad716e0000 | 0xad716e0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ad716e0000 | 0xad716e0000 | 0xad716e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad716e0000 | 0xad716e0000 | 0xad716e3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad716f0000 | 0xad716f0000 | 0xad716f1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ad71700000 | 0xad71700000 | 0xad71706fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad71710000 | 0xad71710000 | 0xad71710fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad71720000 | 0xad71720000 | 0xad71722fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71720000 | 0xad71720000 | 0xad71720fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad71730000 | 0xad71730000 | 0xad71730fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad71740000 | 0xad71740000 | 0xad71b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad71b40000 | 0xad71b40000 | 0xad71cfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad71b40000 | 0xad71b40000 | 0xad71cc7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71cd0000 | 0xad71cd0000 | 0xad71cd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71cd0000 | 0xad71cd0000 | 0xad71cd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71ce0000 | 0xad71ce0000 | 0xad71ce0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad71cf0000 | 0xad71cf0000 | 0xad71cfffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000ad71d00000 | 0xad71d00000 | 0xad71e80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad71e90000 | 0xad71e90000 | 0xad7328ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ad73290000 | 0xad73290000 | 0xad7344ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xad73290000 | 0xad73349fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ad73290000 | 0xad73290000 | 0xad7337ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000ad73380000 | 0xad73380000 | 0xad733c3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad73440000 | 0xad73440000 | 0xad7344ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000ad73450000 | 0xad73450000 | 0xad7354ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xad73550000 | 0xad73650fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xad73550000 | 0xad73824fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ad73830000 | 0xad73830000 | 0xad73d21fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xad73d30000 | 0xad74b9ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ad74ba0000 | 0xad74ba0000 | 0xad74db7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xad74dc0000 | 0xad77c55fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000ad77c60000 | 0xad77c60000 | 0xad78059fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000ad78060000 | 0xad78060000 | 0xad78169fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6cf000000 | 0x7ff6cf000000 | 0x7ff6cf0fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cf100000 | 0x7ff6cf100000 | 0x7ff6cf122fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cf12d000 | 0x7ff6cf12d000 | 0x7ff6cf12efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cf12f000 | 0x7ff6cf12f000 | 0x7ff6cf12ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0x980 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000061095d0000 | 0x61095d0000 | 0x61095effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000061095d0000 | 0x61095d0000 | 0x61095dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000061095e0000 | 0x61095e0000 | 0x61095e6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000061095f0000 | 0x61095f0000 | 0x61095fefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006109600000 | 0x6109600000 | 0x61099fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006109a00000 | 0x6109a00000 | 0x6109a03fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000006109a10000 | 0x6109a10000 | 0x6109a11fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000006109a20000 | 0x6109a20000 | 0x6109a21fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006109a30000 | 0x6109a30000 | 0x6109a36fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006109a40000 | 0x6109a40000 | 0x6109a40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000006109a50000 | 0x6109a50000 | 0x6109e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x6109e50000 | 0x6109ecdfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000006109ed0000 | 0x6109ed0000 | 0x610a06ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000006109ed0000 | 0x6109ed0000 | 0x610a057fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000610a060000 | 0x610a060000 | 0x610a06ffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x610a070000 | 0x610a0a3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610a070000 | 0x610a070000 | 0x610a1f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000610a200000 | 0x610a200000 | 0x610b5fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000610b600000 | 0x610b600000 | 0x610b600fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x610b610000 | 0x610b610fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610b610000 | 0x610b610000 | 0x610b610fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000610b610000 | 0x610b610000 | 0x610b613fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000610b620000 | 0x610b620000 | 0x610b621fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000610b630000 | 0x610b630000 | 0x610b72ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x610b630000 | 0x610b6e9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610b630000 | 0x610b630000 | 0x610b71ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000610b720000 | 0x610b720000 | 0x610b72ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000610b730000 | 0x610b730000 | 0x610b736fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000610b740000 | 0x610b740000 | 0x610b83ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x610b840000 | 0x610b940fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000610b840000 | 0x610b840000 | 0x610b840fff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x610b850000 | 0x610bb24fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610bb30000 | 0x610bb30000 | 0x610bb32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000610bb30000 | 0x610bb30000 | 0x610bb30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000610bb40000 | 0x610bb40000 | 0x610bb40fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000610bb50000 | 0x610bb50000 | 0x610c041fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x610c050000 | 0x610cebffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610cec0000 | 0x610cec0000 | 0x610d0d7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000610d0e0000 | 0x610d0e0000 | 0x610d0e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imageres.dll | 0x610d0e0000 | 0x610ff75fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000610ff80000 | 0x610ff80000 | 0x610ff82fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000610ff90000 | 0x610ff90000 | 0x610ff90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000610ffa0000 | 0x610ffa0000 | 0x6110399fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000061103a0000 | 0x61103a0000 | 0x61103e3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000061103f0000 | 0x61103f0000 | 0x61104f9fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce300000 | 0x7ff6ce300000 | 0x7ff6ce3fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce400000 | 0x7ff6ce400000 | 0x7ff6ce422fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce42d000 | 0x7ff6ce42d000 | 0x7ff6ce42efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce42f000 | 0x7ff6ce42f000 | 0x7ff6ce42ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x9c8 |
| Parent PID | 0x9a4 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9CC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000bd83340000 | 0xbd83340000 | 0xbd8335ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd83340000 | 0xbd83340000 | 0xbd8334ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83350000 | 0xbd83350000 | 0xbd83356fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd83360000 | 0xbd83360000 | 0xbd8336efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd83370000 | 0xbd83370000 | 0xbd8376ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd83770000 | 0xbd83770000 | 0xbd83773fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd83780000 | 0xbd83780000 | 0xbd83781fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd83790000 | 0xbd83790000 | 0xbd83791fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xbd837a0000 | 0xbd8381dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bd83820000 | 0xbd83820000 | 0xbd838effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83820000 | 0xbd83820000 | 0xbd83826fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xbd83830000 | 0xbd83863fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000bd83830000 | 0xbd83830000 | 0xbd83830fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83840000 | 0xbd83840000 | 0xbd83840fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xbd83850000 | 0xbd83850fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bd83850000 | 0xbd83850000 | 0xbd83850fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd83850000 | 0xbd83850000 | 0xbd83853fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd83860000 | 0xbd83860000 | 0xbd83861fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd83870000 | 0xbd83870000 | 0xbd8388ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83870000 | 0xbd83870000 | 0xbd83876fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83880000 | 0xbd83880000 | 0xbd8388ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83890000 | 0xbd83890000 | 0xbd83890fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd838a0000 | 0xbd838a0000 | 0xbd838a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd838a0000 | 0xbd838a0000 | 0xbd838a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd838b0000 | 0xbd838b0000 | 0xbd838b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd838c0000 | 0xbd838c0000 | 0xbd838c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd838c0000 | 0xbd838c0000 | 0xbd838c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd838d0000 | 0xbd838d0000 | 0xbd838d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd838e0000 | 0xbd838e0000 | 0xbd838effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd838f0000 | 0xbd838f0000 | 0xbd83933fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000bd83980000 | 0xbd83980000 | 0xbd83d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000bd83d80000 | 0xbd83d80000 | 0xbd83f07fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd83f10000 | 0xbd83f10000 | 0xbd84090fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000bd840a0000 | 0xbd840a0000 | 0xbd8549ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0xbd854a0000 | 0xbd85559fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bd854a0000 | 0xbd854a0000 | 0xbd8558ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd85590000 | 0xbd85590000 | 0xbd8568ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xbd85690000 | 0xbd85790fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xbd85690000 | 0xbd85964fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bd85970000 | 0xbd85970000 | 0xbd85e61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xbd85e70000 | 0xbd86cdffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bd86ce0000 | 0xbd86ce0000 | 0xbd86ef7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xbd86f00000 | 0xbd89d95fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000bd89da0000 | 0xbd89da0000 | 0xbd8a199fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000bd8a1a0000 | 0xbd8a1a0000 | 0xbd8a2a2fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce420000 | 0x7ff6ce420000 | 0x7ff6ce51ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce520000 | 0x7ff6ce520000 | 0x7ff6ce542fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce545000 | 0x7ff6ce545000 | 0x7ff6ce545fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce54e000 | 0x7ff6ce54e000 | 0x7ff6ce54ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\system32\thumbnailextractionhost.exe |
| Command Line | C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x9d8 |
| Parent PID | 0x228 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9DC
0x
9E0
0x
9E4
0x
9E8
0x
9EC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000901a200000 | 0x901a200000 | 0x901a21ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a200000 | 0x901a200000 | 0x901a20ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a210000 | 0x901a210000 | 0x901a216fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a220000 | 0x901a220000 | 0x901a22efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a230000 | 0x901a230000 | 0x901a2affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a2b0000 | 0x901a2b0000 | 0x901a2b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000901a2c0000 | 0x901a2c0000 | 0x901a2c2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a2d0000 | 0x901a2d0000 | 0x901a2d1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x901a2e0000 | 0x901a35dfff | Memory Mapped File | Readable |
|
|
|
|
| imm32.dll | 0x901a360000 | 0x901a393fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000901a360000 | 0x901a360000 | 0x901a366fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a370000 | 0x901a370000 | 0x901a370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a380000 | 0x901a380000 | 0x901a380fff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x901a390000 | 0x901a449fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000901a390000 | 0x901a390000 | 0x901a390fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000901a390000 | 0x901a390000 | 0x901a393fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a3a0000 | 0x901a3a0000 | 0x901a3a6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a3b0000 | 0x901a3b0000 | 0x901a3b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a3c0000 | 0x901a3c0000 | 0x901a43ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a450000 | 0x901a450000 | 0x901a54ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a550000 | 0x901a550000 | 0x901a6d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a6e0000 | 0x901a6e0000 | 0x901a84ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a6e0000 | 0x901a6e0000 | 0x901a7fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a6e0000 | 0x901a6e0000 | 0x901a7cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000901a7f0000 | 0x901a7f0000 | 0x901a7fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901a840000 | 0x901a840000 | 0x901a84ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000901a850000 | 0x901a850000 | 0x901a9d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000901a9e0000 | 0x901a9e0000 | 0x901bddffff | Pagefile Backed Memory | Readable |
|
|
|
|
| ole32.dll | 0x901bde0000 | 0x901bf56fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x901bde0000 | 0x901c0b4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000901c0c0000 | 0x901c0c0000 | 0x901c13ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901c140000 | 0x901c140000 | 0x901c1bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000901c1c0000 | 0x901c1c0000 | 0x901c23ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff738310000 | 0x7ff738310000 | 0x7ff73840ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff738410000 | 0x7ff738410000 | 0x7ff738432fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff738434000 | 0x7ff738434000 | 0x7ff738435fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738436000 | 0x7ff738436000 | 0x7ff738437fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff738438000 | 0x7ff738438000 | 0x7ff738438fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff73843a000 | 0x7ff73843a000 | 0x7ff73843bfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff73843c000 | 0x7ff73843c000 | 0x7ff73843dfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff73843e000 | 0x7ff73843e000 | 0x7ff73843ffff | Private Memory | Readable, Writable |
|
|
|
|
| thumbnailextractionhost.exe | 0x7ff738e70000 | 0x7ff738e7bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7ffd19f90000 | 0x7ffd1a0f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:03 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa08 |
| Parent PID | 0x9c8 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A0C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000df36b60000 | 0xdf36b60000 | 0xdf36b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df36b60000 | 0xdf36b60000 | 0xdf36b6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000df36b70000 | 0xdf36b70000 | 0xdf36b76fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df36b80000 | 0xdf36b80000 | 0xdf36b8efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df36b90000 | 0xdf36b90000 | 0xdf36f8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df36f90000 | 0xdf36f90000 | 0xdf36f93fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df36fa0000 | 0xdf36fa0000 | 0xdf36fa1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df36fb0000 | 0xdf36fb0000 | 0xdf36fb1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xdf36fc0000 | 0xdf3703dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000df37040000 | 0xdf37040000 | 0xdf37046fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37050000 | 0xdf37050000 | 0xdf37050fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37060000 | 0xdf37060000 | 0xdf37060fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37070000 | 0xdf37070000 | 0xdf3746ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37470000 | 0xdf37470000 | 0xdf3764ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df37470000 | 0xdf37470000 | 0xdf375f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imm32.dll | 0xdf37600000 | 0xdf37633fff | Memory Mapped File | Readable |
|
|
|
|
| windowsshell.manifest | 0xdf37600000 | 0xdf37600fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000df37600000 | 0xdf37600000 | 0xdf37600fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df37600000 | 0xdf37600000 | 0xdf37603fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df37610000 | 0xdf37610000 | 0xdf37611fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df37620000 | 0xdf37620000 | 0xdf37626fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37630000 | 0xdf37630000 | 0xdf37630fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000df37640000 | 0xdf37640000 | 0xdf3764ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df37650000 | 0xdf37650000 | 0xdf377d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df377e0000 | 0xdf377e0000 | 0xdf38bdffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df38be0000 | 0xdf38be0000 | 0xdf38c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df38be0000 | 0xdf38be0000 | 0xdf38be2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df38be0000 | 0xdf38be0000 | 0xdf38be0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000df38bf0000 | 0xdf38bf0000 | 0xdf38bf0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df38c00000 | 0xdf38c00000 | 0xdf38c00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df38c00000 | 0xdf38c00000 | 0xdf38c02fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df38c10000 | 0xdf38c10000 | 0xdf38c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xdf38c20000 | 0xdf38cd9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000df38c20000 | 0xdf38c20000 | 0xdf38d0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000df38d10000 | 0xdf38d10000 | 0xdf38e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xdf38e10000 | 0xdf38f10fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xdf38e10000 | 0xdf390e4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000df390f0000 | 0xdf390f0000 | 0xdf395e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xdf395f0000 | 0xdf3a45ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000df3a460000 | 0xdf3a460000 | 0xdf3a677fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xdf3a680000 | 0xdf3d515fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000df3d520000 | 0xdf3d520000 | 0xdf3d520fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000df3d530000 | 0xdf3d530000 | 0xdf3d929fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000df3d930000 | 0xdf3d930000 | 0xdf3d973fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000df3d980000 | 0xdf3d980000 | 0xdf3da8cfff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6cea70000 | 0x7ff6cea70000 | 0x7ff6ceb6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ceb70000 | 0x7ff6ceb70000 | 0x7ff6ceb92fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ceb9d000 | 0x7ff6ceb9d000 | 0x7ff6ceb9efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ceb9f000 | 0x7ff6ceb9f000 | 0x7ff6ceb9ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xa08 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A44
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000004c3380000 | 0x4c3380000 | 0x4c339ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c3380000 | 0x4c3380000 | 0x4c338ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3390000 | 0x4c3390000 | 0x4c3396fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c33a0000 | 0x4c33a0000 | 0x4c33aefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000004c33b0000 | 0x4c33b0000 | 0x4c37affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c37b0000 | 0x4c37b0000 | 0x4c37b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004c37c0000 | 0x4c37c0000 | 0x4c37c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000004c37d0000 | 0x4c37d0000 | 0x4c37d1fff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x4c37e0000 | 0x4c385dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000004c3860000 | 0x4c3860000 | 0x4c3866fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3870000 | 0x4c3870000 | 0x4c3870fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3880000 | 0x4c3880000 | 0x4c3880fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x4c3890000 | 0x4c3890fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000004c3890000 | 0x4c3890000 | 0x4c3890fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004c3890000 | 0x4c3890000 | 0x4c3893fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000004c38a0000 | 0x4c38a0000 | 0x4c3c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3ca0000 | 0x4c3ca0000 | 0x4c3e8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c3ca0000 | 0x4c3ca0000 | 0x4c3e27fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imm32.dll | 0x4c3e30000 | 0x4c3e63fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000004c3e30000 | 0x4c3e30000 | 0x4c3e31fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000004c3e40000 | 0x4c3e40000 | 0x4c3e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3e40000 | 0x4c3e40000 | 0x4c3e46fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3e50000 | 0x4c3e50000 | 0x4c3e50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c3e60000 | 0x4c3e60000 | 0x4c3e62fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004c3e60000 | 0x4c3e60000 | 0x4c3e60fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3e70000 | 0x4c3e70000 | 0x4c3e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000004c3e80000 | 0x4c3e80000 | 0x4c3e8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c3e90000 | 0x4c3e90000 | 0x4c4010fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004c4020000 | 0x4c4020000 | 0x4c541ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x4c5420000 | 0x4c54d9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000004c5420000 | 0x4c5420000 | 0x4c550ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000004c5510000 | 0x4c5510000 | 0x4c560ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x4c5610000 | 0x4c5710fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x4c5610000 | 0x4c58e4fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000004c58f0000 | 0x4c58f0000 | 0x4c58f0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c5900000 | 0x4c5900000 | 0x4c5df1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x4c5e00000 | 0x4c6c6ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000004c6c70000 | 0x4c6c70000 | 0x4c6e87fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c6e90000 | 0x4c6e90000 | 0x4c6e90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imageres.dll | 0x4c6e90000 | 0x4c9d25fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000004c9d30000 | 0x4c9d30000 | 0x4c9d32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004c9d40000 | 0x4c9d40000 | 0x4c9d40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000004c9d50000 | 0x4c9d50000 | 0x4ca149fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000004ca150000 | 0x4ca150000 | 0x4ca193fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000004ca1a0000 | 0x4ca1a0000 | 0x4ca2a1fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce6e0000 | 0x7ff6ce6e0000 | 0x7ff6ce7dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce7e0000 | 0x7ff6ce7e0000 | 0x7ff6ce802fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce807000 | 0x7ff6ce807000 | 0x7ff6ce807fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce80e000 | 0x7ff6ce80e000 | 0x7ff6ce80ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:57 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa64 |
| Parent PID | 0xa40 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A68
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x00000043029a0000 | 0x43029a0000 | 0x43029bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000043029a0000 | 0x43029a0000 | 0x43029affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000043029b0000 | 0x43029b0000 | 0x43029b6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000043029c0000 | 0x43029c0000 | 0x43029cefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000043029d0000 | 0x43029d0000 | 0x4302dcffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004302dd0000 | 0x4302dd0000 | 0x4302dd3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004302de0000 | 0x4302de0000 | 0x4302de1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004302df0000 | 0x4302df0000 | 0x4302df1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004302e00000 | 0x4302e00000 | 0x4302e06fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004302e10000 | 0x4302e10000 | 0x4302e10fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004302e20000 | 0x4302e20000 | 0x430321ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x4303220000 | 0x430329dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000043032a0000 | 0x43032a0000 | 0x43032fffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x43032a0000 | 0x43032d3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000043032a0000 | 0x43032a0000 | 0x43032a0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x43032b0000 | 0x43032b0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000043032b0000 | 0x43032b0000 | 0x43032b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000043032b0000 | 0x43032b0000 | 0x43032b3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000043032c0000 | 0x43032c0000 | 0x43032c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000043032d0000 | 0x43032d0000 | 0x43032d6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000043032e0000 | 0x43032e0000 | 0x43032e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000043032f0000 | 0x43032f0000 | 0x43032fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004303300000 | 0x4303300000 | 0x4303487fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004303490000 | 0x4303490000 | 0x4303610fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004303620000 | 0x4303620000 | 0x4304a1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004304a20000 | 0x4304a20000 | 0x4304b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x4304a20000 | 0x4304ad9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004304a20000 | 0x4304a20000 | 0x4304b0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004304b10000 | 0x4304b10000 | 0x4304b12fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004304b10000 | 0x4304b10000 | 0x4304b10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004304b20000 | 0x4304b20000 | 0x4304b20fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004304b30000 | 0x4304b30000 | 0x4304b30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004304b30000 | 0x4304b30000 | 0x4304b32fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004304b40000 | 0x4304b40000 | 0x4304b40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004304b60000 | 0x4304b60000 | 0x4304b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004304b70000 | 0x4304b70000 | 0x4304c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x4304c70000 | 0x4304d70fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x4304c70000 | 0x4304f44fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004304f50000 | 0x4304f50000 | 0x4305441fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x4305450000 | 0x43062bffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000043062c0000 | 0x43062c0000 | 0x43064d7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x43064e0000 | 0x4309375fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004309380000 | 0x4309380000 | 0x4309779fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004309780000 | 0x4309780000 | 0x43097c3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce2d0000 | 0x7ff6ce2d0000 | 0x7ff6ce3cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce3d0000 | 0x7ff6ce3d0000 | 0x7ff6ce3f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce3f4000 | 0x7ff6ce3f4000 | 0x7ff6ce3f4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce3fe000 | 0x7ff6ce3fe000 | 0x7ff6ce3fffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:54 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa88 |
| Parent PID | 0xa64 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A8C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000002fb7650000 | 0x2fb7650000 | 0x2fb766ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb7650000 | 0x2fb7650000 | 0x2fb765ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb7660000 | 0x2fb7660000 | 0x2fb7666fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb7670000 | 0x2fb7670000 | 0x2fb767efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002fb7680000 | 0x2fb7680000 | 0x2fb7a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb7a80000 | 0x2fb7a80000 | 0x2fb7a83fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb7a90000 | 0x2fb7a90000 | 0x2fb7a91fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002fb7aa0000 | 0x2fb7aa0000 | 0x2fb7aa1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb7ab0000 | 0x2fb7ab0000 | 0x2fb7ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb7ab0000 | 0x2fb7ab0000 | 0x2fb7ab6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb7ac0000 | 0x2fb7ac0000 | 0x2fb7ac0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb7ad0000 | 0x2fb7ad0000 | 0x2fb7ecffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x2fb7ed0000 | 0x2fb7f4dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002fb7f50000 | 0x2fb7f50000 | 0x2fb80dffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x2fb7f50000 | 0x2fb7f83fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000002fb7f50000 | 0x2fb7f50000 | 0x2fb7f50fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x2fb7f60000 | 0x2fb7f60fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002fb7f60000 | 0x2fb7f60000 | 0x2fb7f60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb7f60000 | 0x2fb7f60000 | 0x2fb7f63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb7f70000 | 0x2fb7f70000 | 0x2fb7f71fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x2fb7f80000 | 0x2fb8039fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002fb7f80000 | 0x2fb7f80000 | 0x2fb806ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002fb8070000 | 0x2fb8070000 | 0x2fb8076fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb8080000 | 0x2fb8080000 | 0x2fb8080fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb8090000 | 0x2fb8090000 | 0x2fb8092fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb8090000 | 0x2fb8090000 | 0x2fb8090fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb80a0000 | 0x2fb80a0000 | 0x2fb80a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb80b0000 | 0x2fb80b0000 | 0x2fb80b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb80b0000 | 0x2fb80b0000 | 0x2fb80b2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb80c0000 | 0x2fb80c0000 | 0x2fb80c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb80d0000 | 0x2fb80d0000 | 0x2fb80dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb80e0000 | 0x2fb80e0000 | 0x2fb8267fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb8270000 | 0x2fb8270000 | 0x2fb83f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000002fb8400000 | 0x2fb8400000 | 0x2fb97fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002fb9800000 | 0x2fb9800000 | 0x2fb998ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb9800000 | 0x2fb9800000 | 0x2fb98fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000002fb9900000 | 0x2fb9900000 | 0x2fb9943fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000002fb9980000 | 0x2fb9980000 | 0x2fb998ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x2fb9990000 | 0x2fb9a90fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x2fb9990000 | 0x2fb9c64fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002fb9c70000 | 0x2fb9c70000 | 0x2fba161fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x2fba170000 | 0x2fbafdffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002fbafe0000 | 0x2fbafe0000 | 0x2fbb1f7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x2fbb200000 | 0x2fbe095fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000002fbe0a0000 | 0x2fbe0a0000 | 0x2fbe499fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000002fbe4a0000 | 0x2fbe4a0000 | 0x2fbe5a9fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6cede0000 | 0x7ff6cede0000 | 0x7ff6ceedffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ceee0000 | 0x7ff6ceee0000 | 0x7ff6cef02fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cef0d000 | 0x7ff6cef0d000 | 0x7ff6cef0efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cef0f000 | 0x7ff6cef0f000 | 0x7ff6cef0ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:52 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xaac |
| Parent PID | 0xa88 (c:\users\5jghko~1\desktop\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000004780000000 | 0x4780000000 | 0x47803fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004780400000 | 0x4780400000 | 0x478095ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004780400000 | 0x4780400000 | 0x478040ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x4780410000 | 0x478048dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000004780490000 | 0x4780490000 | 0x4780496fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000047804a0000 | 0x47804a0000 | 0x47804a6fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0x47804b0000 | 0x47804e3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000047804b0000 | 0x47804b0000 | 0x47804b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000047804c0000 | 0x47804c0000 | 0x47804c0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0x47804d0000 | 0x47804d0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000047804d0000 | 0x47804d0000 | 0x47804d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000047804d0000 | 0x47804d0000 | 0x47804d3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000047804e0000 | 0x47804e0000 | 0x47804e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000047804f0000 | 0x47804f0000 | 0x47804f6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004780500000 | 0x4780500000 | 0x4780500fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004780510000 | 0x4780510000 | 0x4780512fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004780510000 | 0x4780510000 | 0x4780510fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004780520000 | 0x4780520000 | 0x4780520fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004780530000 | 0x4780530000 | 0x4780530fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004780530000 | 0x4780530000 | 0x4780532fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004780540000 | 0x4780540000 | 0x4780540fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004780560000 | 0x4780560000 | 0x478095ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004780960000 | 0x4780960000 | 0x4780b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004780960000 | 0x4780960000 | 0x4780ae7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004780b30000 | 0x4780b30000 | 0x4780b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000004780b40000 | 0x4780b40000 | 0x4780cc0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000004780cd0000 | 0x4780cd0000 | 0x47820cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000047820d0000 | 0x47820d0000 | 0x478228ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0x47820d0000 | 0x4782189fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000047820d0000 | 0x47820d0000 | 0x47821bffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000047821c0000 | 0x47821c0000 | 0x4782203fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000004782280000 | 0x4782280000 | 0x478228ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000004782290000 | 0x4782290000 | 0x478238ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0x4782390000 | 0x4782490fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0x4782390000 | 0x4782664fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004782670000 | 0x4782670000 | 0x4782b61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x4782b70000 | 0x47839dffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000047839e0000 | 0x47839e0000 | 0x4783bf7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x4783c00000 | 0x4786a95fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000004786aa0000 | 0x4786aa0000 | 0x4786e99fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000004786ea0000 | 0x4786ea0000 | 0x4786fa2fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000047ffed0000 | 0x47ffed0000 | 0x47ffeeffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000047ffef0000 | 0x47ffef0000 | 0x47ffefefff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000047fff00000 | 0x47fff00000 | 0x47fff03fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000047fff10000 | 0x47fff10000 | 0x47fff11fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000047fff20000 | 0x47fff20000 | 0x47fff21fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6cee60000 | 0x7ff6cee60000 | 0x7ff6cef5ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cef60000 | 0x7ff6cef60000 | 0x7ff6cef82fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cef8a000 | 0x7ff6cef8a000 | 0x7ff6cef8afff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cef8e000 | 0x7ff6cef8e000 | 0x7ff6cef8ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:49 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0xaac (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000a8d9c90000 | 0xa8d9c90000 | 0xa8d9caffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8d9c90000 | 0xa8d9c90000 | 0xa8d9c9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8d9ca0000 | 0xa8d9ca0000 | 0xa8d9ca6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8d9cb0000 | 0xa8d9cb0000 | 0xa8d9cbefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8d9cc0000 | 0xa8d9cc0000 | 0xa8da0bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8da0c0000 | 0xa8da0c0000 | 0xa8da0c3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8da0d0000 | 0xa8da0d0000 | 0xa8da0d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8da0e0000 | 0xa8da0e0000 | 0xa8da0e1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8da0f0000 | 0xa8da0f0000 | 0xa8da56ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xa8da0f0000 | 0xa8da16dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a8da170000 | 0xa8da170000 | 0xa8da56ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8da570000 | 0xa8da570000 | 0xa8da72ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8da570000 | 0xa8da570000 | 0xa8da576fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8da580000 | 0xa8da580000 | 0xa8da707fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8da710000 | 0xa8da710000 | 0xa8da710fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8da720000 | 0xa8da720000 | 0xa8da72ffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xa8da730000 | 0xa8da763fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8da730000 | 0xa8da730000 | 0xa8da8b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8da8c0000 | 0xa8da8c0000 | 0xa8dbcbffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8dbcc0000 | 0xa8dbcc0000 | 0xa8dbcc0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xa8dbcd0000 | 0xa8dbcd0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8dbcd0000 | 0xa8dbcd0000 | 0xa8dbcd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8dbcd0000 | 0xa8dbcd0000 | 0xa8dbcd3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8dbce0000 | 0xa8dbce0000 | 0xa8dbce1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8dbcf0000 | 0xa8dbcf0000 | 0xa8dbdfffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xa8dbcf0000 | 0xa8dbda9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8dbcf0000 | 0xa8dbcf0000 | 0xa8dbddffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000a8dbde0000 | 0xa8dbde0000 | 0xa8dbde6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8dbdf0000 | 0xa8dbdf0000 | 0xa8dbdfffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8dbe00000 | 0xa8dbe00000 | 0xa8dbefffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xa8dbf00000 | 0xa8dc000fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000a8dbf00000 | 0xa8dbf00000 | 0xa8dbf00fff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0xa8dbf10000 | 0xa8dc1e4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8dc1f0000 | 0xa8dc1f0000 | 0xa8dc1f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8dc1f0000 | 0xa8dc1f0000 | 0xa8dc1f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000a8dc200000 | 0xa8dc200000 | 0xa8dc200fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8dc210000 | 0xa8dc210000 | 0xa8dc701fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xa8dc710000 | 0xa8dd57ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8dd580000 | 0xa8dd580000 | 0xa8dd797fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8dd7a0000 | 0xa8dd7a0000 | 0xa8dd7a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| imageres.dll | 0xa8dd7a0000 | 0xa8e0635fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000a8e0640000 | 0xa8e0640000 | 0xa8e0642fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8e0650000 | 0xa8e0650000 | 0xa8e0650fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000a8e0660000 | 0xa8e0660000 | 0xa8e0a59fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000a8e0a60000 | 0xa8e0a60000 | 0xa8e0aa3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce9d0000 | 0x7ff6ce9d0000 | 0x7ff6ceacffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cead0000 | 0x7ff6cead0000 | 0x7ff6ceaf2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ceaf9000 | 0x7ff6ceaf9000 | 0x7ff6ceaf9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ceafe000 | 0x7ff6ceafe000 | 0x7ff6ceafffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:46 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xaf4 |
| Parent PID | 0xad0 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000e3520f0000 | 0xe3520f0000 | 0xe35210ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e3520f0000 | 0xe3520f0000 | 0xe3520fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352100000 | 0xe352100000 | 0xe352106fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e352110000 | 0xe352110000 | 0xe35211efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e352120000 | 0xe352120000 | 0xe35251ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e352520000 | 0xe352520000 | 0xe352523fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352530000 | 0xe352530000 | 0xe352531fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e352540000 | 0xe352540000 | 0xe352541fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352550000 | 0xe352550000 | 0xe35296ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352550000 | 0xe352550000 | 0xe352556fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352560000 | 0xe352560000 | 0xe352560fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352570000 | 0xe352570000 | 0xe35296ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xe352970000 | 0xe3529edfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e3529f0000 | 0xe3529f0000 | 0xe352a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xe3529f0000 | 0xe352a23fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000e3529f0000 | 0xe3529f0000 | 0xe3529f0fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xe352a00000 | 0xe352a00fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e352a00000 | 0xe352a00000 | 0xe352a00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352a00000 | 0xe352a00000 | 0xe352a03fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352a10000 | 0xe352a10000 | 0xe352a11fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e352a20000 | 0xe352a20000 | 0xe352a26fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352a30000 | 0xe352a30000 | 0xe352a30fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e352a40000 | 0xe352a40000 | 0xe352a42fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352a40000 | 0xe352a40000 | 0xe352a40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352a50000 | 0xe352a50000 | 0xe352a50fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e352a60000 | 0xe352a60000 | 0xe352a60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352a60000 | 0xe352a60000 | 0xe352a62fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352a70000 | 0xe352a70000 | 0xe352a70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e352a80000 | 0xe352a80000 | 0xe352a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e352a90000 | 0xe352a90000 | 0xe352c17fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352c20000 | 0xe352c20000 | 0xe352da0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000e352db0000 | 0xe352db0000 | 0xe3541affff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e3541b0000 | 0xe3541b0000 | 0xe35423ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000e3541b0000 | 0xe3541b0000 | 0xe3541f3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000e354230000 | 0xe354230000 | 0xe35423ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xe354240000 | 0xe3542f9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e354240000 | 0xe354240000 | 0xe35432ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e354330000 | 0xe354330000 | 0xe35442ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xe354430000 | 0xe354530fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xe354430000 | 0xe354704fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e354710000 | 0xe354710000 | 0xe354c01fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xe354c10000 | 0xe355a7ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e355a80000 | 0xe355a80000 | 0xe355c97fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xe355ca0000 | 0xe358b35fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000e358b40000 | 0xe358b40000 | 0xe358f39fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000e358f40000 | 0xe358f40000 | 0xe359045fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce510000 | 0x7ff6ce510000 | 0x7ff6ce60ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce610000 | 0x7ff6ce610000 | 0x7ff6ce632fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce63d000 | 0x7ff6ce63d000 | 0x7ff6ce63efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce63f000 | 0x7ff6ce63f000 | 0x7ff6ce63ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:44 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0xaf4 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B1C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x0000000ec4f90000 | 0xec4f90000 | 0xec4faffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec4f90000 | 0xec4f90000 | 0xec4f9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec4fa0000 | 0xec4fa0000 | 0xec4fa6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec4fb0000 | 0xec4fb0000 | 0xec4fbefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ec4fc0000 | 0xec4fc0000 | 0xec53bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec53c0000 | 0xec53c0000 | 0xec53c3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec53d0000 | 0xec53d0000 | 0xec53d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ec53e0000 | 0xec53e0000 | 0xec53e1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec53f0000 | 0xec53f0000 | 0xec596ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xec53f0000 | 0xec546dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000ec5470000 | 0xec5470000 | 0xec550ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec5470000 | 0xec5470000 | 0xec5476fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xec5480000 | 0xec54b3fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000ec5480000 | 0xec5480000 | 0xec5480fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec5490000 | 0xec5490000 | 0xec5490fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xec54a0000 | 0xec54a0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ec54a0000 | 0xec54a0000 | 0xec54a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec54a0000 | 0xec54a0000 | 0xec54a3fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec54b0000 | 0xec54b0000 | 0xec54b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ec54c0000 | 0xec54c0000 | 0xec54c6fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec54d0000 | 0xec54d0000 | 0xec54d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec54e0000 | 0xec54e0000 | 0xec54e2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec54e0000 | 0xec54e0000 | 0xec54e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec54f0000 | 0xec54f0000 | 0xec54f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec5500000 | 0xec5500000 | 0xec550ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec5510000 | 0xec5510000 | 0xec5510fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec5510000 | 0xec5510000 | 0xec5512fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec5520000 | 0xec5520000 | 0xec5520fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec5570000 | 0xec5570000 | 0xec596ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec5970000 | 0xec5970000 | 0xec5af7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec5b00000 | 0xec5b00000 | 0xec5c80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000ec5c90000 | 0xec5c90000 | 0xec708ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ec7090000 | 0xec7090000 | 0xec713ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000ec7090000 | 0xec7090000 | 0xec70d3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000ec7130000 | 0xec7130000 | 0xec713ffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xec7140000 | 0xec71f9fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ec7140000 | 0xec7140000 | 0xec722ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ec7230000 | 0xec7230000 | 0xec732ffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xec7330000 | 0xec7430fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xec7330000 | 0xec7604fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ec7610000 | 0xec7610000 | 0xec7b01fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xec7b10000 | 0xec897ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ec8980000 | 0xec8980000 | 0xec8b97fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xec8ba0000 | 0xecba35fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000ecba40000 | 0xecba40000 | 0xecbe39fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000ecbe40000 | 0xecbe40000 | 0xecbf4afff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff6ce5b0000 | 0x7ff6ce5b0000 | 0x7ff6ce6affff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6ce6b0000 | 0x7ff6ce6b0000 | 0x7ff6ce6d2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6ce6d3000 | 0x7ff6ce6d3000 | 0x7ff6ce6d3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6ce6de000 | 0x7ff6ce6de000 | 0x7ff6ce6dffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\progra~1\common~1\wanacr~1.exe |
| Command Line | C:\PROGRA~1\COMMON~1\WANACR~1.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:34, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:41 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0xb18 (c:\progra~1\common~1\wanacr~1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B40
0x
BB0
0x
BB4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000cb27840000 | 0xcb27840000 | 0xcb2785ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27840000 | 0xcb27840000 | 0xcb2784ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27850000 | 0xcb27850000 | 0xcb27856fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27860000 | 0xcb27860000 | 0xcb2786efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cb27870000 | 0xcb27870000 | 0xcb27c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27c70000 | 0xcb27c70000 | 0xcb27c73fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27c80000 | 0xcb27c80000 | 0xcb27c81fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cb27c90000 | 0xcb27c90000 | 0xcb27c91fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27ca0000 | 0xcb27ca0000 | 0xcb2822ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0xcb27ca0000 | 0xcb27d1dfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cb27d20000 | 0xcb27d20000 | 0xcb27d2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27d30000 | 0xcb27d30000 | 0xcb27d36fff | Private Memory | Readable, Writable |
|
|
|
|
| imm32.dll | 0xcb27d40000 | 0xcb27d73fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000cb27d40000 | 0xcb27d40000 | 0xcb27d40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27d50000 | 0xcb27d50000 | 0xcb27d50fff | Private Memory | Readable, Writable |
|
|
|
|
| windowsshell.manifest | 0xcb27d60000 | 0xcb27d60fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000cb27d60000 | 0xcb27d60000 | 0xcb27d60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27d60000 | 0xcb27d60000 | 0xcb27d63fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27d70000 | 0xcb27d70000 | 0xcb27d71fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cb27d80000 | 0xcb27d80000 | 0xcb27d86fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27d90000 | 0xcb27d90000 | 0xcb27d90fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27da0000 | 0xcb27da0000 | 0xcb27da2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27da0000 | 0xcb27da0000 | 0xcb27da0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27db0000 | 0xcb27db0000 | 0xcb27db0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27dc0000 | 0xcb27dc0000 | 0xcb27dc0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27dc0000 | 0xcb27dc0000 | 0xcb27dc2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb27dd0000 | 0xcb27dd0000 | 0xcb27dd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb27de0000 | 0xcb27de0000 | 0xcb27e23fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb27e30000 | 0xcb27e30000 | 0xcb2822ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000cb28230000 | 0xcb28230000 | 0xcb283b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb283c0000 | 0xcb283c0000 | 0xcb28540fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000cb28550000 | 0xcb28550000 | 0xcb2994ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cb29950000 | 0xcb29950000 | 0xcb29afffff | Private Memory | Readable, Writable |
|
|
|
|
| rpcss.dll | 0xcb29950000 | 0xcb29a09fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000cb29950000 | 0xcb29950000 | 0xcb29a3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000cb29af0000 | 0xcb29af0000 | 0xcb29afffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000cb29b00000 | 0xcb29b00000 | 0xcb29bfffff | Private Memory | Readable, Writable |
|
|
|
|
| wanacry6.malware.exe | 0xcb29c00000 | 0xcb29d00fff | Memory Mapped File | Readable |
|
|
|
|
| sortdefault.nls | 0xcb29c00000 | 0xcb29ed4fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000cb29ee0000 | 0xcb29ee0000 | 0xcb2a3d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0xcb2a3e0000 | 0xcb2b24ffff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000cb2b250000 | 0xcb2b250000 | 0xcb2b467fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0xcb2b470000 | 0xcb2e305fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x000000cb2e310000 | 0xcb2e310000 | 0xcb2e709fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cf1c0000 | 0x7ff6cf1c0000 | 0x7ff6cf2bffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff6cf2c0000 | 0x7ff6cf2c0000 | 0x7ff6cf2e2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6cf2ec000 | 0x7ff6cf2ec000 | 0x7ff6cf2edfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6cf2ee000 | 0x7ff6cf2ee000 | 0x7ff6cf2eefff | Private Memory | Readable, Writable |
|
|
|
|
| wanacr~1.exe | 0x7ff6cf310000 | 0x7ff6cf418fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x7ffd152d0000 | 0x7ffd152eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7ffd152f0000 | 0x7ffd152f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x7ffd15300000 | 0x7ffd15308fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x7ffd17a20000 | 0x7ffd17a3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x7ffd17c80000 | 0x7ffd17f27fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x7ffd17f30000 | 0x7ffd1816ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x7ffd18a50000 | 0x7ffd18a59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x7ffd18a60000 | 0x7ffd18a88fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmmbase.dll | 0x7ffd1a3f0000 | 0x7ffd1a419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7ffd1af40000 | 0x7ffd1b199fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7ffd1b1a0000 | 0x7ffd1b1c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shcore.dll | 0x7ffd1b380000 | 0x7ffd1b420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7ffd1b9f0000 | 0x7ffd1bb11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x7ffd1bb20000 | 0x7ffd1bb45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x7ffd1c330000 | 0x7ffd1c34efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x7ffd1cca0000 | 0x7ffd1ccb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x7ffd1d050000 | 0x7ffd1d099fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x7ffd1d1b0000 | 0x7ffd1d2e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x7ffd1d4d0000 | 0x7ffd1d520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x7ffd1d550000 | 0x7ffd1d583fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x7ffd1dd30000 | 0x7ffd1dd36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x7ffd1dd40000 | 0x7ffd1dd48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x7ffd1dd50000 | 0x7ffd1f15efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x7ffd1f350000 | 0x7ffd1f3a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comdlg32.dll | 0x7ffd1f550000 | 0x7ffd1f5e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:05:15, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
| Information | Value |
|---|---|
| PID | 0x880 |
| Parent PID | 0x1cc (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
884
0x
88C
0x
810
0x
62C
0x
3C
0x
438
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000093eb80000 | 0x93eb80000 | 0x93eb9ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000093eb80000 | 0x93eb80000 | 0x93eb8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000093eb90000 | 0x93eb90000 | 0x93eb96fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000093eba0000 | 0x93eba0000 | 0x93ebaefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000093ebb0000 | 0x93ebb0000 | 0x93ec2ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x93ec30000 | 0x93ecadfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000093ecb0000 | 0x93ecb0000 | 0x93ecb6fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000093ecc0000 | 0x93ecc0000 | 0x93ed7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000093ed80000 | 0x93ed80000 | 0x93ed82fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000093ed90000 | 0x93ed90000 | 0x93ed90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x000000093eda0000 | 0x93eda0000 | 0x93eda0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093edb0000 | 0x93edb0000 | 0x93edb0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093edc0000 | 0x93edc0000 | 0x93edcffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x000000093edd0000 | 0x93edd0000 | 0x93eecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093eed0000 | 0x93eed0000 | 0x93f09ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000093eed0000 | 0x93eed0000 | 0x93f057fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000093f060000 | 0x93f060000 | 0x93f06ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x000000093f070000 | 0x93f070000 | 0x93f07ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000093f080000 | 0x93f080000 | 0x93f080fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000093f090000 | 0x93f090000 | 0x93f09ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000093f0a0000 | 0x93f0a0000 | 0x93f220fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000093f230000 | 0x93f230000 | 0x93f629fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x93f630000 | 0x93f6e9fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000093f630000 | 0x93f630000 | 0x93f6affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093f6b0000 | 0x93f6b0000 | 0x93f72ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093f730000 | 0x93f730000 | 0x93f82ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x93f830000 | 0x93fb04fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x000000093fb10000 | 0x93fb10000 | 0x93fc0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093fc10000 | 0x93fc10000 | 0x93fc8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093fc90000 | 0x93fc90000 | 0x93fd0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093fd10000 | 0x93fd10000 | 0x93fe0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000093fe10000 | 0x93fe10000 | 0x94000ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000940010000 | 0x940010000 | 0x940117fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000940010000 | 0x940010000 | 0x940010fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000940020000 | 0x940020000 | 0x940021fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000940030000 | 0x940030000 | 0x94042ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000940120000 | 0x940120000 | 0x940223fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00007ff685790000 | 0x7ff685790000 | 0x7ff68588ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00007ff685890000 | 0x7ff685890000 | 0x7ff6858b2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00007ff6858b5000 | 0x7ff6858b5000 | 0x7ff6858b5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6858b6000 | 0x7ff6858b6000 | 0x7ff6858b7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6858b8000 | 0x7ff6858b8000 | 0x7ff6858b9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6858ba000 | 0x7ff6858ba000 | 0x7ff6858bbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6858bc000 | 0x7ff6858bc000 | 0x7ff6858bdfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00007ff6858be000 | 0x7ff6858be000 | 0x7ff6858bffff | Private Memory | Readable, Writable |
|
|
|
|
| sppsvc.exe | 0x7ff6862f0000 | 0x7ff6868f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sppobjs.dll | 0x7ffd10be0000 | 0x7ffd10d3dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sppwinob.dll | 0x7ffd10d40000 | 0x7ffd10d7dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptxml.dll | 0x7ffd11040000 | 0x7ffd11060fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| webservices.dll | 0x7ffd11580000 | 0x7ffd116e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwapi.dll | 0x7ffd12e00000 | 0x7ffd12e11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| taskschd.dll | 0x7ffd190d0000 | 0x7ffd1926cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x7ffd19290000 | 0x7ffd19298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x7ffd192a0000 | 0x7ffd192b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x7ffd192e0000 | 0x7ffd192f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| xmllite.dll | 0x7ffd197f0000 | 0x7ffd19827fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel.appcore.dll | 0x7ffd1bb70000 | 0x7ffd1bb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x7ffd1bf50000 | 0x7ffd1bf5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x7ffd1c060000 | 0x7ffd1c084fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7ffd1c220000 | 0x7ffd1c254fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x7ffd1c640000 | 0x7ffd1c65dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcrypt.dll | 0x7ffd1c870000 | 0x7ffd1c895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x7ffd1cae0000 | 0x7ffd1cb0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| bcryptprimitives.dll | 0x7ffd1cb10000 | 0x7ffd1cb6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x7ffd1cb70000 | 0x7ffd1cb79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x7ffd1cd50000 | 0x7ffd1cd61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x7ffd1ce20000 | 0x7ffd1cff6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x7ffd1d0a0000 | 0x7ffd1d1adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x7ffd1d350000 | 0x7ffd1d4c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x7ffd1d590000 | 0x7ffd1d633fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x7ffd1d640000 | 0x7ffd1d7b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x7ffd1d7d0000 | 0x7ffd1d826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x7ffd1d830000 | 0x7ffd1d8d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x7ffd1da80000 | 0x7ffd1db36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x7ffd1f160000 | 0x7ffd1f298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x7ffd1f2a0000 | 0x7ffd1f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x7ffd1f410000 | 0x7ffd1f545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x7ffd1f5f0000 | 0x7ffd1f734fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| combase.dll | 0x7ffd1f740000 | 0x7ffd1f916fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x7ffd1f920000 | 0x7ffd1fac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\windows\system32\spp\store\2.0\data.dat.tmp | 36.64 KB (37520 bytes) |
MD5:
ec1abca3d8d1cf4cb5fe6cff5b19930c
SHA1: 88ae788f97ffe0a67b4665d931a459491a875297 SHA256: 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf |
|
|
| c:\windows\system32\spp\store\2.0\data.dat.bak | 36.64 KB (37520 bytes) |
MD5:
ec1abca3d8d1cf4cb5fe6cff5b19930c
SHA1: 88ae788f97ffe0a67b4665d931a459491a875297 SHA256: 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf |
|
|
| c:\windows\system32\spp\store\2.0\data.dat | 36.64 KB (37520 bytes) |
MD5:
ec1abca3d8d1cf4cb5fe6cff5b19930c
SHA1: 88ae788f97ffe0a67b4665d931a459491a875297 SHA256: 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\windows\system32\spp\store\2.0\cache\cache.dat | 799.92 KB (819120 bytes) |
MD5:
0916790b7daa7c8607c2f69cdf9b4d3d
SHA1: b35a21d9340e1ea9f82815253f79ee8f0352e2da SHA256: 3d7adb9d7884010b48ad04b51e31902faf5b5602b7216186031369b918fcd192 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-44 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-44, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-45 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-45, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-46 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-46, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-47 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-47, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-48 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-48, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-49 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-49, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-50 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-50, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-51 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-51, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| Registry | Open Key | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 |
|
1 | |
| Registry | Read Value | reg_name = 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9, type = REG_BINARY |
|
1 | |
| Registry | Enumerate Keys |
|
1 | ||
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\System32\spp\store\2.0\data.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\System32\spp\store\2.0\data.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\spp\store\2.0\data.dat, size = 37504, size_out = 37504 |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:05:01 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| System | Get Time | type = System Time, time = 2017-08-08 15:05:02 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Load | module_name = C:\Windows\system32\wwapi.dll, base_address = 0x7ffd12e00000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wwapi.dll, function = WwanOpenHandle, address_out = 0x7ffd12e04cec |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wwapi.dll, function = WwanCloseHandle, address_out = 0x7ffd12e054e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wwapi.dll, function = WwanEnumerateInterfaces, address_out = 0x7ffd12e058e4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wwapi.dll, function = WwanQueryInterface, address_out = 0x7ffd12e05c58 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\wwapi.dll, function = WwanFreeMemory, address_out = 0x7ffd12e07e8c |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, size = 37520 |
|
1 | |
| File | Move | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.tmp, destination_filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
1 | |
| File | Move | source_filename = C:\Windows\System32\spp\store\2.0\data.dat.bak, destination_filename = C:\Windows\System32\spp\store\2.0\data.dat, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_WRITE_THROUGH |
|
1 | |
| System | Get Time | type = System Time, time = 2017-08-08 15:05:05 (UTC) |
|
2 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 | ||
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffd1f920000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x7ffd1f9b68d0 |
|
1 | |
| System | Get Info |
|
1 |
