VTI SCORE: 91/100
Dynamic Analysis Report |
Classification: Trojan |
3c6a74d216e10e4ff158716cfa72984230995041c4bbb7596b8c8aaa461d76c5 (SHA256)
ggzn.doc
Word Document
Created at 2018-08-06 13:03:00
Monitored Processes
Process Overview
»
ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
---|---|---|---|---|---|---|
#1 | 0xe0 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n | - |
Behavior Information - Sequential View
Process #1: winword.exe
0
0
»
Information | Value |
---|---|
ID | #1 |
File Name | c:\program files\microsoft office\office16\winword.exe |
Command Line | "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n |
Initial Working Directory | C:\Users\Nd9E1FYi\Desktop\ |
Monitor | Start Time: 00:00:17, Reason: Analysis Target |
Unmonitor | End Time: 00:02:23, Reason: Terminated by Timeout |
Monitor Duration | 00:02:06 |
Remark | No high level activity detected in monitored regions |
OS Process Information
»
Information | Value |
---|---|
PID | 0xe0 |
Parent PID | 0x7d4 (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | X2VS1CUM\Nd9E1FYi |
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
44C
0x
E94
0x
D54
0x
80C
0x
424
0x
E18
0x
5B0
0x
2E4
0x
874
0x
62C
0x
5F8
0x
4EC
0x
4BC
0x
D34
0x
78
0x
79C
0x
AD8
0x
AD0
0x
C38
0x
B84
|
Region
»
Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
---|---|---|---|---|---|---|---|---|
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r | - | |||
private_0x0000006401600000 | 0x6401600000 | 0x64017fffff | Private Memory | rw | - | |||
private_0x0000006401800000 | 0x6401800000 | 0x64018fffff | Private Memory | rw | - | |||
private_0x0000006401900000 | 0x6401900000 | 0x64019fffff | Private Memory | rw | - | |||
private_0x0000006401b00000 | 0x6401b00000 | 0x6401bfffff | Private Memory | rw | - | |||
private_0x0000006401c00000 | 0x6401c00000 | 0x6401cfffff | Private Memory | rw | - | |||
private_0x0000006401d00000 | 0x6401d00000 | 0x6401dfffff | Private Memory | rw | - | |||
private_0x0000006401e00000 | 0x6401e00000 | 0x6401efffff | Private Memory | rw | - | |||
private_0x0000006401f00000 | 0x6401f00000 | 0x6401ffffff | Private Memory | rw | - | |||
private_0x0000006402000000 | 0x6402000000 | 0x64020fffff | Private Memory | rw | - | |||
private_0x0000006402100000 | 0x6402100000 | 0x64021fffff | Private Memory | rw | - | |||
private_0x0000006402300000 | 0x6402300000 | 0x64023fffff | Private Memory | rw | - | |||
private_0x0000006402400000 | 0x6402400000 | 0x64024fffff | Private Memory | rw | - | |||
private_0x0000006402500000 | 0x6402500000 | 0x64025fffff | Private Memory | rw | - | |||
private_0x0000006402600000 | 0x6402600000 | 0x64026fffff | Private Memory | rw | - | |||
private_0x0000006402700000 | 0x6402700000 | 0x64027fffff | Private Memory | rw | - | |||
pagefile_0x000001a780000000 | 0x1a780000000 | 0x1a780004fff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a780010000 | 0x1a780010000 | 0x1a78080ffff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a780810000 | 0x1a780810000 | 0x1a780810fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a780820000 | 0x1a780820000 | 0x1a780820fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a780830000 | 0x1a780830000 | 0x1a7808bbfff | Pagefile Backed Memory | r | - | |||
private_0x000001a7808c0000 | 0x1a7808c0000 | 0x1a7808c0fff | Private Memory | rw | - | |||
private_0x000001a780a10000 | 0x1a780a10000 | 0x1a780e0ffff | Private Memory | rw | - | |||
private_0x000001a780e10000 | 0x1a780e10000 | 0x1a780f0ffff | Private Memory | rw | - | |||
msxml6r.dll | 0x1a780f10000 | 0x1a780f10fff | Memory Mapped File | r | - | |||
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db | 0x1a780f20000 | 0x1a780f32fff | Memory Mapped File | r | - | |||
pagefile_0x000001a780f40000 | 0x1a780f40000 | 0x1a780f40fff | Pagefile Backed Memory | rw | - | |||
private_0x000001a780f50000 | 0x1a780f50000 | 0x1a780f56fff | Private Memory | rw | - | |||
pagefile_0x000001a780f60000 | 0x1a780f60000 | 0x1a780f61fff | Pagefile Backed Memory | r | - | |||
private_0x000001a780f70000 | 0x1a780f70000 | 0x1a780f70fff | Private Memory | rw | - | |||
pagefile_0x000001a780f80000 | 0x1a780f80000 | 0x1a780f81fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a780f90000 | 0x1a780f90000 | 0x1a780faefff | Pagefile Backed Memory | rw | - | |||
private_0x000001a780fb0000 | 0x1a780fb0000 | 0x1a780fbffff | Private Memory | rw | - | |||
kernelbase.dll.mui | 0x1a780fc0000 | 0x1a78109ffff | Memory Mapped File | r | - | |||
private_0x000001a7810a0000 | 0x1a7810a0000 | 0x1a78119ffff | Private Memory | rw | - | |||
~fontcache-fontface.dat | 0x1a7811a0000 | 0x1a78219ffff | Memory Mapped File | r | - | |||
segoeui.ttf | 0x1a7821a0000 | 0x1a78227efff | Memory Mapped File | r | - | |||
d2d1.dll.mui | 0x1a782280000 | 0x1a7822c1fff | Memory Mapped File | r | - | |||
pagefile_0x000001a7822d0000 | 0x1a7822d0000 | 0x1a7823a5fff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7823b0000 | 0x1a7823b0000 | 0x1a782485fff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a782490000 | 0x1a782490000 | 0x1a7824aefff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7827b0000 | 0x1a7827b0000 | 0x1a7827bffff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7827c0000 | 0x1a7827c0000 | 0x1a7827cffff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7827d0000 | 0x1a7827d0000 | 0x1a7827dffff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7827e0000 | 0x1a7827e0000 | 0x1a782be7fff | Private Memory | rw | - | |||
private_0x000001a782bf0000 | 0x1a782bf0000 | 0x1a782ff9fff | Private Memory | rw | - | |||
private_0x000001a783000000 | 0x1a783000000 | 0x1a78340afff | Private Memory | rw | - | |||
private_0x000001a783410000 | 0x1a783410000 | 0x1a78348ffff | Private Memory | rw | - | |||
private_0x000001a783490000 | 0x1a783490000 | 0x1a78368ffff | Private Memory | rw | - | |||
c_1255.nls | 0x1a783690000 | 0x1a7836a0fff | Memory Mapped File | r | - | |||
staticcache.dat | 0x1a7836b0000 | 0x1a7846effff | Memory Mapped File | r | - | |||
private_0x000001a784700000 | 0x1a784700000 | 0x1a784efffff | Private Memory | rw | - | |||
pagefile_0x000001a784f00000 | 0x1a784f00000 | 0x1a7853ddfff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7f5ff0000 | 0x1a7f5ff0000 | 0x1a7f5ffffff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7f6000000 | 0x1a7f6000000 | 0x1a7f6006fff | Private Memory | rw | - | |||
pagefile_0x000001a7f6010000 | 0x1a7f6010000 | 0x1a7f6024fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6030000 | 0x1a7f6030000 | 0x1a7f6033fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6040000 | 0x1a7f6040000 | 0x1a7f6043fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f6050000 | 0x1a7f6050000 | 0x1a7f6051fff | Private Memory | rw | - | |||
locale.nls | 0x1a7f6060000 | 0x1a7f611dfff | Memory Mapped File | r | - | |||
private_0x000001a7f6120000 | 0x1a7f6120000 | 0x1a7f6126fff | Private Memory | rw | - | |||
private_0x000001a7f6130000 | 0x1a7f6130000 | 0x1a7f6130fff | Private Memory | rw | - | |||
private_0x000001a7f6140000 | 0x1a7f6140000 | 0x1a7f6140fff | Private Memory | rw | - | |||
pagefile_0x000001a7f6150000 | 0x1a7f6150000 | 0x1a7f6151fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6160000 | 0x1a7f6160000 | 0x1a7f6161fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f6170000 | 0x1a7f6170000 | 0x1a7f6170fff | Private Memory | rw | - | |||
private_0x000001a7f6180000 | 0x1a7f6180000 | 0x1a7f6180fff | Private Memory | rw | - | |||
pagefile_0x000001a7f6190000 | 0x1a7f6190000 | 0x1a7f6191fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f61a0000 | 0x1a7f61a0000 | 0x1a7f61affff | Private Memory | - | - | |||
pagefile_0x000001a7f61b0000 | 0x1a7f61b0000 | 0x1a7f61b1fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f61c0000 | 0x1a7f61c0000 | 0x1a7f62bffff | Private Memory | rw | - | |||
pagefile_0x000001a7f62c0000 | 0x1a7f62c0000 | 0x1a7f6447fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6450000 | 0x1a7f6450000 | 0x1a7f6451fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6460000 | 0x1a7f6460000 | 0x1a7f6461fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6470000 | 0x1a7f6470000 | 0x1a7f6471fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6480000 | 0x1a7f6480000 | 0x1a7f6481fff | Pagefile Backed Memory | r | - | |||
winnlsres.dll | 0x1a7f6490000 | 0x1a7f6494fff | Memory Mapped File | r | - | |||
pagefile_0x000001a7f64a0000 | 0x1a7f64a0000 | 0x1a7f64a1fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f64b0000 | 0x1a7f64b0000 | 0x1a7f64bffff | Private Memory | rw | - | |||
pagefile_0x000001a7f64c0000 | 0x1a7f64c0000 | 0x1a7f6640fff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7f6650000 | 0x1a7f6650000 | 0x1a7f7a4ffff | Pagefile Backed Memory | r | - | |||
wwintl.dll | 0x1a7f7a50000 | 0x1a7f7b0bfff | Memory Mapped File | r | - | |||
pagefile_0x000001a7f7b10000 | 0x1a7f7b10000 | 0x1a7f7b11fff | Pagefile Backed Memory | r | - | |||
private_0x000001a7f7b20000 | 0x1a7f7b20000 | 0x1a7f7b3ffff | Private Memory | rw | - | |||
office.odf | 0x1a7f7b40000 | 0x1a7f7cf8fff | Memory Mapped File | r | - | |||
pagefile_0x000001a7f7d00000 | 0x1a7f7d00000 | 0x1a7f7d00fff | Pagefile Backed Memory | rw | - | |||
winnlsres.dll.mui | 0x1a7f7d10000 | 0x1a7f7d1ffff | Memory Mapped File | r | - | |||
msointl30.dll | 0x1a7f7d20000 | 0x1a7f7d2efff | Memory Mapped File | r | - | |||
msointl.dll | 0x1a7f7d30000 | 0x1a7f7eaafff | Memory Mapped File | r | - | |||
private_0x000001a7f7eb0000 | 0x1a7f7eb0000 | 0x1a7f7ebffff | Private Memory | rw | - | |||
mso40uires.dll | 0x1a7f7ec0000 | 0x1a7f81c7fff | Memory Mapped File | r | - | |||
mso99lres.dll | 0x1a7f81d0000 | 0x1a7f8af0fff | Memory Mapped File | r | - | |||
msores.dll | 0x1a7f8b00000 | 0x1a7fd93efff | Memory Mapped File | r | - | |||
pagefile_0x000001a7fd9e0000 | 0x1a7fd9e0000 | 0x1a7fd9e0fff | Pagefile Backed Memory | rw | - | |||
pagefile_0x000001a7fd9f0000 | 0x1a7fd9f0000 | 0x1a7fd9f0fff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7fda00000 | 0x1a7fda00000 | 0x1a7fda00fff | Private Memory | rw | - | |||
private_0x000001a7fda10000 | 0x1a7fda10000 | 0x1a7fda16fff | Private Memory | rw | - | |||
sortdefault.nls | 0x1a7fdae0000 | 0x1a7fde16fff | Memory Mapped File | r | - | |||
private_0x000001a7fde20000 | 0x1a7fde20000 | 0x1a7fdf1ffff | Private Memory | rw | - | |||
pagefile_0x000001a7fdf20000 | 0x1a7fdf20000 | 0x1a7fdf4dfff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7fdf50000 | 0x1a7fdf50000 | 0x1a7fdf50fff | Private Memory | rw | - | |||
private_0x000001a7fdf60000 | 0x1a7fdf60000 | 0x1a7fdf60fff | Private Memory | rw | - | |||
private_0x000001a7fdf70000 | 0x1a7fdf70000 | 0x1a7fdf70fff | Private Memory | rw | - | |||
pagefile_0x000001a7fdf80000 | 0x1a7fdf80000 | 0x1a7fe03bfff | Pagefile Backed Memory | r | - | |||
pagefile_0x000001a7fe040000 | 0x1a7fe040000 | 0x1a7fe043fff | Pagefile Backed Memory | r | - | |||
~fontcache-system.dat | 0x1a7fe050000 | 0x1a7fe0c5fff | Memory Mapped File | r | - | |||
private_0x000001a7fe0d0000 | 0x1a7fe0d0000 | 0x1a7fe1cffff | Private Memory | rw | - | |||
~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat | 0x1a7fe1d0000 | 0x1a7fe9cffff | Memory Mapped File | r | - | |||
private_0x000001a7fe9d0000 | 0x1a7fe9d0000 | 0x1a7fedcffff | Private Memory | rw | - | |||
pagefile_0x000001a7fedd0000 | 0x1a7fedd0000 | 0x1a7ff2c1fff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7ff2d0000 | 0x1a7ff2d0000 | 0x1a7ff2d0fff | Private Memory | rw | - | |||
private_0x000001a7ff2e0000 | 0x1a7ff2e0000 | 0x1a7ff2e0fff | Private Memory | rw | - | |||
pagefile_0x000001a7ff2f0000 | 0x1a7ff2f0000 | 0x1a7ff2f0fff | Pagefile Backed Memory | rw | - | |||
private_0x000001a7ff300000 | 0x1a7ff300000 | 0x1a7ff300fff | Private Memory | rw | - | |||
private_0x000001a7ff310000 | 0x1a7ff310000 | 0x1a7ff316fff | Private Memory | rw | - | |||
private_0x000001a7ff380000 | 0x1a7ff380000 | 0x1a7ff38ffff | Private Memory | rw | - | |||
private_0x000001a7ff390000 | 0x1a7ff390000 | 0x1a7ff58ffff | Private Memory | rw | - | |||
private_0x000001a7ff6e0000 | 0x1a7ff6e0000 | 0x1a7ff6effff | Private Memory | rw | - | |||
private_0x00007ff78b910000 | 0x7ff78b910000 | 0x7ff78b91ffff | Private Memory | - | - | |||
private_0x00007ff78b920000 | 0x7ff78b920000 | 0x7ff78b92ffff | Private Memory | - | - | |||
pagefile_0x00007ff78b930000 | 0x7ff78b930000 | 0x7ff78ba2ffff | Pagefile Backed Memory | r | - | |||
pagefile_0x00007ff78ba30000 | 0x7ff78ba30000 | 0x7ff78ba52fff | Pagefile Backed Memory | r | - | |||
winword.exe | 0x7ff78c360000 | 0x7ff78c539fff | Memory Mapped File | rwx | - | |||
private_0x00007ff8d6250000 | 0x7ff8d6250000 | 0x7ff8d625ffff | Private Memory | rwx | - | |||
usp10.dll | 0x7ff8f5160000 | 0x7ff8f5177fff | Memory Mapped File | rwx | - | |||
chart.dll | 0x7ff8f5180000 | 0x7ff8f5c78fff | Memory Mapped File | rwx | - | |||
riched20.dll | 0x7ff8f6110000 | 0x7ff8f6332fff | Memory Mapped File | rwx | - | |||
msptls.dll | 0x7ff8f6340000 | 0x7ff8f64affff | Memory Mapped File | rwx | - | |||
mso.dll | 0x7ff8f64b0000 | 0x7ff8f778bfff | Memory Mapped File | rwx | - | |||
mso99lwin32client.dll | 0x7ff8f7790000 | 0x7ff8f7f5bfff | Memory Mapped File | rwx | - | |||
mso40uiwin32client.dll | 0x7ff8f7f60000 | 0x7ff8f884afff | Memory Mapped File | rwx | - | |||
mso30win32client.dll | 0x7ff8f8850000 | 0x7ff8f8cc7fff | Memory Mapped File | rwx | - | |||
oart.dll | 0x7ff8f8cd0000 | 0x7ff8f9e3bfff | Memory Mapped File | rwx | - | |||
wwlib.dll | 0x7ff8f9e40000 | 0x7ff8fc1defff | Memory Mapped File | rwx | - | |||
mso20win32client.dll | 0x7ff8fd320000 | 0x7ff8fd623fff | Memory Mapped File | rwx | - | |||
mscoreei.dll | 0x7ff8fe110000 | 0x7ff8fe1a7fff | Memory Mapped File | rwx | - | |||
mscoree.dll | 0x7ff9005a0000 | 0x7ff900607fff | Memory Mapped File | rwx | - | |||
d3d10_1core.dll | 0x7ff900610000 | 0x7ff900671fff | Memory Mapped File | rwx | - | |||
d3d10_1.dll | 0x7ff900c50000 | 0x7ff900c81fff | Memory Mapped File | rwx | - | |||
mlang.dll | 0x7ff900dc0000 | 0x7ff900dfdfff | Memory Mapped File | rwx | - | |||
msxml6.dll | 0x7ff904750000 | 0x7ff9049c9fff | Memory Mapped File | rwx | - | |||
winspool.drv | 0x7ff904d10000 | 0x7ff904d93fff | Memory Mapped File | rwx | - | |||
msi.dll | 0x7ff906270000 | 0x7ff9065a9fff | Memory Mapped File | rwx | - | |||
msvcp140.dll | 0x7ff9065b0000 | 0x7ff90664bfff | Memory Mapped File | rwx | - | |||
vcruntime140.dll | 0x7ff906650000 | 0x7ff906665fff | Memory Mapped File | rwx | - | |||
twinapi.dll | 0x7ff908370000 | 0x7ff908420fff | Memory Mapped File | rwx | - | |||
netprofm.dll | 0x7ff909310000 | 0x7ff90934ffff | Memory Mapped File | rwx | - | |||
secur32.dll | 0x7ff90a710000 | 0x7ff90a71bfff | Memory Mapped File | rwx | - | |||
version.dll | 0x7ff90a9d0000 | 0x7ff90a9d9fff | Memory Mapped File | rwx | - | |||
gdiplus.dll | 0x7ff90aa00000 | 0x7ff90aba8fff | Memory Mapped File | rwx | - | |||
For performance reasons, the remaining 182 entries are omitted.
The remaining entries can be found in flog.txt. |