0d4e21cec341cd742aa47f3f3bd4b7a903ab558a646ddd2c55b153bbf7dc5b6c (SHA256)
orden de pedido 05.xlsx
Excel Document
Created at 2018-11-05 09:27:00
Notifications (2/2)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: excel.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:18, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8fc |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
0x
AE4
0x
AE0
0x
ADC
0x
AAC
0x
AA8
0x
A48
0x
A40
0x
A10
0x
A0C
0x
A04
0x
A00
0x
9A0
0x
990
0x
98C
0x
988
0x
978
0x
970
0x
96C
0x
968
0x
964
0x
960
0x
940
0x
920
0x
91C
0x
918
0x
914
0x
910
0x
90C
0x
908
0x
900
0x
AF8
0x
AFC
0x
B10
0x
B14
0x
810
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00201fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00252fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00272fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00282fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00541fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00550000 | 0x0055bfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00560000 | 0x00567fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00707fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00890fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x01c9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ca0000 | 0x01f6efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001f70000 | 0x01f70000 | 0x02362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0266ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x02670000 | 0x0267ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002680000 | 0x02680000 | 0x02680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002690000 | 0x02690000 | 0x02690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000026a0000 | 0x026a0000 | 0x026a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000026b0000 | 0x026b0000 | 0x026b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000026c0000 | 0x026c0000 | 0x026c4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000026d0000 | 0x026d0000 | 0x026d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002760000 | 0x02760000 | 0x0283efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02941fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x02960fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02970fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02990fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002aa0000 | 0x02aa0000 | 0x02aa1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| xlintl32.dll | 0x02bd0000 | 0x03c17fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x03c20000 | 0x03cdffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cf0000 | 0x03cf0000 | 0x03deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03df0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e00000 | 0x03e00000 | 0x03e00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003e10000 | 0x03e10000 | 0x03e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003e20000 | 0x03e20000 | 0x03f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f20000 | 0x03f20000 | 0x0401ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004020000 | 0x04020000 | 0x04020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004030000 | 0x04030000 | 0x04031fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004040000 | 0x04040000 | 0x0413ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004140000 | 0x04140000 | 0x041bffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x041c0000 | 0x041dffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000041e0000 | 0x041e0000 | 0x041e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000041f0000 | 0x041f0000 | 0x041f1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004200000 | 0x04200000 | 0x04201fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004210000 | 0x04210000 | 0x0421ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004220000 | 0x04220000 | 0x0431ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x0441ffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x04420000 | 0x04430fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04441fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x04450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x044dffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0460ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004610000 | 0x04610000 | 0x04a0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a60000 | 0x04a60000 | 0x04a61fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a70000 | 0x04a70000 | 0x04a71fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04a80000 | 0x04a83fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x04a90000 | 0x04abffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04ac0000 | 0x04ac3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x04ad0000 | 0x04b35fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04b41fff | Pagefile Backed Memory | r |
|
|
|
- |
| comdlg32.dll.mui | 0x04b50000 | 0x04b5cfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b61fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b71fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x04cb0000 | 0x04d2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d62fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d72fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x05382fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x05392fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053b0000 | 0x053b0000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000054b0000 | 0x054b0000 | 0x057f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| tahoma.ttf | 0x05800000 | 0x058aafff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000058b0000 | 0x058b0000 | 0x058b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000058c0000 | 0x058c0000 | 0x058c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000058d0000 | 0x058d0000 | 0x0594ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x05950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005960000 | 0x05960000 | 0x05960fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005970000 | 0x05970000 | 0x05971fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005980000 | 0x05980000 | 0x05980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005990000 | 0x05990000 | 0x059d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000059e0000 | 0x059e0000 | 0x05a27fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a30000 | 0x05a30000 | 0x05a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a40000 | 0x05a40000 | 0x05a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a50000 | 0x05a50000 | 0x05a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a60000 | 0x05a60000 | 0x05b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005b60000 | 0x05b60000 | 0x05b61fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005b70000 | 0x05b70000 | 0x05b71fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x05b80000 | 0x05b83fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005b90000 | 0x05b90000 | 0x05b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ba0000 | 0x05ba0000 | 0x05ba0fff | Private Memory | rw |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x05bb0000 | 0x05bb0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005bc0000 | 0x05bc0000 | 0x05bc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005bd0000 | 0x05bd0000 | 0x05bd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005be0000 | 0x05be0000 | 0x05be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005bf0000 | 0x05bf0000 | 0x05ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005cf0000 | 0x05cf0000 | 0x05cf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d00000 | 0x05d00000 | 0x05d00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d10000 | 0x05d10000 | 0x05d10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d20000 | 0x05d20000 | 0x05d20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d30000 | 0x05d30000 | 0x05e2ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 341 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #2: eqnedt32.exe
8
1
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:56, Reason: RPC Server |
| Unmonitor | End Time: 00:02:28, Reason: Self Terminated |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0x258 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B54
0x
B60
0x
B6C
0x
B74
0x
B78
0x
B84
0x
B88
0x
B8C
0x
B90
0x
B94
0x
BC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00246fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00350000 | 0x00350fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x00350000 | 0x0035bfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00361fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x003c0000 | 0x003c7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x003d0000 | 0x003dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| eqnedt32.exe | 0x00400000 | 0x0048dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x01dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01dd0000 | 0x0209efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000020a0000 | 0x020a0000 | 0x02492fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000024a0000 | 0x024a0000 | 0x0257efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x025bffff | Private Memory | rw |
|
|
|
- |
| c_20127.nls | 0x025c0000 | 0x025d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x0266ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d70000 | 0x02d70000 | 0x02e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e70000 | 0x02e70000 | 0x02eeffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02ef0000 | 0x02faffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x02feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0304ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03050000 | 0x0397ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003980000 | 0x03980000 | 0x03a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ae0000 | 0x03ae0000 | 0x03b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c10000 | 0x03c10000 | 0x03c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c50000 | 0x03c50000 | 0x03d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e50000 | 0x03e50000 | 0x03f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x040effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x0404ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040e0000 | 0x040e0000 | 0x040effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040f0000 | 0x040f0000 | 0x0428ffff | Private Memory | rw |
|
|
|
- |
| eeintl.dll | 0x3de20000 | 0x3de2dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000006fe20000 | 0x6fe20000 | 0x6fe2ffff | Private Memory | rwx |
|
|
|
- |
| msi.dll | 0x74b10000 | 0x74d4ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x74c80000 | 0x74c87fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74c90000 | 0x74ce9fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74cf0000 | 0x74cf5fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74d00000 | 0x74d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74d10000 | 0x74d4bfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74f80000 | 0x74f84fff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74f90000 | 0x74f95fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74fa0000 | 0x74facfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74fb0000 | 0x75001fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75010000 | 0x751adfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x75290000 | 0x75292fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x75350000 | 0x75364fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75370000 | 0x75376fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x75380000 | 0x7539bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x753a0000 | 0x753e3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x753f0000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75430000 | 0x7543dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75440000 | 0x75455fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x754f0000 | 0x75506fff | Memory Mapped File | rwx |
|
|
|
- |
| c2r32.dll | 0x75510000 | 0x75688fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystems32.dll | 0x75690000 | 0x75847fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 32 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (6)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Urlmon | base_address = 0x75ac0000 |
|
1 | |
| Load | Shell32 | base_address = 0x76b00000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x76234173 |
|
1 | |
| Get Address | c:\windows\syswow64\urlmon.dll | function = URLDownloadToFileW, address_out = 0x75b566f6 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x76b21e46 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x76237a10 |
|
1 |
Network Behavior
URL (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Download | url = http://23.249.167.158/file/doc/scvhost.exe, filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe |
|
1 |
Process #4: svchost.exe
153
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\aetadzjz\appdata\roaming\svchost.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbcc |
| Parent PID | 0xb50 (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00320fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00336fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00656fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e80000 | 0x01e80000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e90000 | 0x01e90000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02472fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x23daffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x0a480fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02480000 | 0x0274efff | Memory Mapped File | r |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77780000 | 0x777fafff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT | - |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | type = file_attributes |
|
1 | |
| Copy | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | source_filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier | size = 0 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3 | os_pid = 0x818, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | os_pid = 0x81c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (65)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\svchost.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\svchost.EN | base_address = 0x0 |
|
1 | |
| Load | C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll | base_address = 0x0 |
|
1 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
1 | |
| Load | advapi32 | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\svchost.exe | base_address = 0x400000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
4 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x75460000 |
|
1 | |
| Get Handle | mzfjTcKYjWs7xdfL71cu9tmd9Cw | base_address = 0x0 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\svchost.exe | process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\svchost.exe | process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\svchost.EN | process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 255 |
|
1 | |
| Get Filename | Unknown module name | process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x762b434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76724c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76736fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x767401a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7673699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76746ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76766c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7673dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76747fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76737a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76740355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7784b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x7549266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x75492542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x75491d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x7549238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x754920c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x75491fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x75491e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x75491f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x75491ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x7549216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x754922be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x754921e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7785ec88 |
|
1 | |
| Get Address | Unknown module name | function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x77841218 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | svchost | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | svchost | class_name = TApplication, index = 18446744073709551612, new_long = 3280879 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (68)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 860, y_out = 449 |
|
4 | |
| Get Cursor | x_out = 215, y_out = 475 |
|
15 | |
| Get Cursor | x_out = 430, y_out = 475 |
|
13 | |
| Sleep | duration = 172 milliseconds (0.172 seconds) |
|
31 | |
| Get Time | type = Ticks, time = 193363 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 1159BD3 |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\roaming\svchost.exe | - |
|
1 | |
| Check for Presence | c:\users\aetadzjz\appdata\roaming\svchost.exe | - |
|
1 |
Process #6: document.exe
138
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0xbcc (c:\users\aetadzjz\appdata\roaming\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00277fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00380000 | 0x003e6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0061efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02000000 | 0x0292ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002930000 | 0x02930000 | 0x02d22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x2465ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002d30000 | 0x02d30000 | 0x0ad30fff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77780000 | 0x777fafff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | type = file_attributes |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Module (62)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | base_address = 0x0 |
|
1 | |
| Load | C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll | base_address = 0x0 |
|
1 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
1 | |
| Load | advapi32 | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
4 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x75460000 |
|
1 | |
| Get Handle | mzfjTcKYjWs7xdfL71cu9tmd9Cw | base_address = 0x0 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255 |
|
1 | |
| Get Filename | Unknown module name | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x762b434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76724c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76736fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x767401a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7673699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76746ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76766c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7673dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76747fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76737a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76740355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7784b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x7549266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x75492542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x75491d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x7549238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x754920c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x75491fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x75491e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x75491f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x75491ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x7549216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x754922be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x754921e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7785ec88 |
|
1 | |
| Get Address | Unknown module name | function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x77841218 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Document | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | Document | class_name = TApplication, index = 18446744073709551612, new_long = 1708015 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (62)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 667, y_out = 445 |
|
15 | |
| Get Cursor | x_out = 882, y_out = 445 |
|
14 | |
| Sleep | duration = 172 milliseconds (0.172 seconds) |
|
28 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = 1159BD3, desired_access = SYNCHRONIZE |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 | |
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 |
Process #7: document.exe
243
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:13, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0xbcc (c:\users\aetadzjz\appdata\roaming\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
600
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x004d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0051afff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d60000 | 0x01d60000 | 0x01e3efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01ea4fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x020fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ee0000 | 0x01ee0000 | 0x01f0bfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x0232ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02330000 | 0x02c5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x03052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x2498ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x0b060fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x03060000 | 0x0332efff | Memory Mapped File | r |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77780000 | 0x777fafff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | 0.14 KB |
MD5:
6fe3ecd814abef913dd5064746ad05bc
SHA1: 536cb57f4568328db82d729ab34f0753ab45e0a2 SHA256: eaf5fa6489fc6913be7dc196d71f0c22e36f8a8a48899be71a366d1e1112b141 SSDeep: 3:DG0VRmnwzFTUXoLqgBPN9lLenoJxzp4EaKC5NupEl0dAH2:DjinwtfPBPNCo/zpJaZ5NupE7W |
|
|
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | size = 141 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" | os_pid = 0xa38, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554 | os_pid = 0xa68, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x600 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x600 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x600 |
|
1 |
Module (155)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | base_address = 0x0 |
|
1 | |
| Load | C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll | base_address = 0x0 |
|
1 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
1 | |
| Load | advapi32 | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
85 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
4 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x75460000 |
|
1 | |
| Get Handle | mzfjTcKYjWs7xdfL71cu9tmd9Cw | base_address = 0x0 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255 |
|
1 | |
| Get Filename | Unknown module name | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260 |
|
4 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x762b434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76724c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76736fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x767401a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7673699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76746ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76766c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7673dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76747fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76737a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76740355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7784b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x7549266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x75492542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x75491d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x7549238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x754920c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x75491fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x75491e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x75491f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x75491ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x7549216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x754922be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x754921e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7785ec88 |
|
1 | |
| Get Address | Unknown module name | function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x77841218 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1635984 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1635984 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1ee0000 |
|
1 | |
| Map | - | process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe", protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 |
|
1 | |
| Map | - | process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe", protection = PAGE_EXECUTE_READWRITE, address_out = 0x1a0000 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x530000 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Document | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | Document | class_name = TApplication, index = 18446744073709551612, new_long = 2166767 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (68)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 667, y_out = 445 |
|
16 | |
| Get Cursor | x_out = 882, y_out = 445 |
|
14 | |
| Get Cursor | x_out = 237, y_out = 471 |
|
2 | |
| Sleep | duration = 172 milliseconds (0.172 seconds) |
|
31 | |
| Get Time | type = Ticks, time = 220554 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 | |
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 |
Process #8: document.exe
841
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0x81c (c:\users\aetadzjz\appdata\roaming\document\document.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00230000 | 0x0026bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00236fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00260000 | 0x00260fff | Memory Mapped File | r |
|
|
|
- |
| tzres.dll | 0x00260000 | 0x00260fff | Memory Mapped File | r |
|
|
|
- |
| iexplore.exe.mui | 0x00260000 | 0x00261fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x0042bfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c50000 | 0x01c50000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x0241ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002470000 | 0x02470000 | 0x0254efff | Pagefile Backed Memory | r |
|
|
|
- |
| ~df8f3ab6037267860d.tmp | 0x02550000 | 0x025cffff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002620000 | 0x02620000 | 0x02a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002aa0000 | 0x02aa0000 | 0x02e92fff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x02ea0000 | 0x037cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000037d0000 | 0x037d0000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x03a79fff | Private Memory | rw |
|
|
|
- |
| iexplore.exe | 0x038d0000 | 0x03975fff | Memory Mapped File | rwx |
|
|
|
- |
| msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x755f0000 | 0x7578dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75790000 | 0x757cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x757d0000 | 0x757e5fff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x757f0000 | 0x7584efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #7: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x600 | address = 0x400000, size = 180224 |
|
1 | |
| Modify Memory | #7: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x600 | address = 0x1a0000, size = 4096 |
|
1 | |
| Modify Control Flow | #7: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x600 | os_tid = 0x94c, address = 0x77e301c4 |
|
1 |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32\.HLP | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Help\.HLP | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (8)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 | value_name = AllowUnsafeObjectPassing, data = 68, type = REG_NONE |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center | value_name = UACDisableNotify, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | value_name = EnableLUA, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (120)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Program Files (x86)\Internet Explorer\iexplore.exe | os_pid = 0xabc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\iexplore.exe | os_pid = 0x35c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Open | System | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\lsm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\microsoft office\root\office16\onenotem.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files (x86)\adobe\easily.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\stockportsconvenient.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\dangerous.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows defender\retained_one_psychology.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\pentium-southampton.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\declare.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\credit-albania.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\celebrate.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\watson_block.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\beef-http-plants.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\hunting garmin marriage.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
3 | |
| Open | c:\users\aetadzjz\appdata\roaming\document\document.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\onenotem.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\easily.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\aetadzjz\appdata\roaming\document\document.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\onenotem.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\easily.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\aetadzjz\appdata\roaming\document\document.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\iexplore.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 | |
| Get Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\roaming\document\document.exe | os_tid = 0x94c |
|
1 |
Memory (12)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x4070c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1636580 |
|
1 | |
| Allocate | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x4070c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1636580 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x400000, size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x401000, size = 249856 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x43e000, size = 0 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x442000, size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x400000, size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x401000, size = 249856 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x43e000, size = 0 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x442000, size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Internet Explorer\iexplore.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (116)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | OLEAUT32.DLL | base_address = 0x76720000 |
|
1 | |
| Load | SXS.DLL | base_address = 0x757f0000 |
|
1 | |
| Load | kernel32 | base_address = 0x76220000 |
|
7 | |
| Load | Kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
1 | |
| Load | ntdll | base_address = 0x77e20000 |
|
5 | |
| Load | advapi32 | base_address = 0x76490000 |
|
4 | |
| Load | PSAPI.DLL | base_address = 0x75f90000 |
|
3 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
3 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
3 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 512 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x76235235 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x767870a1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x76733dcf |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x767307b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76751ca9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x76738e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x76737684 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x7673cc98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7676903a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x76736231 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x76735fea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x76743f94 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x76744e9e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7676db72 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76752a8c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7676d737 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7676e015 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7676cc3d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7676d1c4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7676d48c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7676d4c6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7676d509 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x7673e7bb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x7673e496 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x7673ddf1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7676d53f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76772055 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x767720ea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76772151 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x767721f5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76772288 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76772335 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x767723d5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x767459b4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7679ef07 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7679ef47 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7679ea66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7679ca11 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7679cc5f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7679cde7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7679d155 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76755f3e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x76744fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x76740d2c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x767559ed |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x7672f8b8 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75d39d4e |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75d00782 |
|
1 | |
| Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75837685 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x77843150 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x7785e7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x77845281 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x76231245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x76231222 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessDEPPolicy, address_out = 0x7624eb9a |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CallWindowProcA, address_out = 0x7784792f |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcesses, address_out = 0x75f91544 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x76231986 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76231410 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = EnumProcessModules, address_out = 0x75f91408 |
|
1 | |
| Get Address | c:\windows\syswow64\psapi.dll | function = GetModuleBaseNameA, address_out = 0x75f915a4 |
|
1 |
Window (10)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderRT6Main, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBFocusRT6, wndproc_parameter = 0 |
|
1 | |
| Create | XCIV | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | 1 | wndproc_parameter = 0 |
|
1 | |
| Create | - | wndproc_parameter = 0 |
|
1 | |
| Create | 2 | wndproc_parameter = 0 |
|
1 | |
| Create | Run Selected | wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = VBMsoStdCompMgr, index = 0, new_long = 37101724 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 |
System (447)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 452, y_out = 497 |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
109 | |
| Get Time | type = Ticks, time = 223799 |
|
2 | |
| Get Time | type = Ticks, time = 223845 |
|
4 | |
| Get Time | type = Ticks, time = 223892 |
|
3 | |
| Get Time | type = Ticks, time = 223939 |
|
3 | |
| Get Time | type = Ticks, time = 223986 |
|
3 | |
| Get Time | type = Ticks, time = 224033 |
|
3 | |
| Get Time | type = Ticks, time = 224079 |
|
3 | |
| Get Time | type = Ticks, time = 224126 |
|
3 | |
| Get Time | type = Ticks, time = 224173 |
|
3 | |
| Get Time | type = Ticks, time = 224220 |
|
3 | |
| Get Time | type = Ticks, time = 224267 |
|
3 | |
| Get Time | type = Ticks, time = 224313 |
|
3 | |
| Get Time | type = Ticks, time = 224360 |
|
3 | |
| Get Time | type = Ticks, time = 224407 |
|
3 | |
| Get Time | type = Ticks, time = 224454 |
|
3 | |
| Get Time | type = Ticks, time = 224501 |
|
3 | |
| Get Time | type = Ticks, time = 224547 |
|
3 | |
| Get Time | type = Ticks, time = 224610 |
|
3 | |
| Get Time | type = Ticks, time = 224672 |
|
3 | |
| Get Time | type = Ticks, time = 224750 |
|
3 | |
| Get Time | type = Ticks, time = 224797 |
|
3 | |
| Get Time | type = Ticks, time = 224844 |
|
3 | |
| Get Time | type = Ticks, time = 224891 |
|
3 | |
| Get Time | type = Ticks, time = 224937 |
|
3 | |
| Get Time | type = Ticks, time = 224984 |
|
3 | |
| Get Time | type = Ticks, time = 225047 |
|
3 | |
| Get Time | type = Ticks, time = 225093 |
|
3 | |
| Get Time | type = Ticks, time = 225140 |
|
3 | |
| Get Time | type = Ticks, time = 225187 |
|
3 | |
| Get Time | type = Ticks, time = 225234 |
|
3 | |
| Get Time | type = Ticks, time = 225281 |
|
3 | |
| Get Time | type = Ticks, time = 225296 |
|
3 | |
| Get Time | type = Ticks, time = 225343 |
|
3 | |
| Get Time | type = Ticks, time = 225390 |
|
3 | |
| Get Time | type = Ticks, time = 225437 |
|
3 | |
| Get Time | type = Ticks, time = 225483 |
|
3 | |
| Get Time | type = Ticks, time = 225530 |
|
3 | |
| Get Time | type = Ticks, time = 225561 |
|
3 | |
| Get Time | type = Ticks, time = 225608 |
|
3 | |
| Get Time | type = Ticks, time = 225655 |
|
3 | |
| Get Time | type = Ticks, time = 225702 |
|
3 | |
| Get Time | type = Ticks, time = 225749 |
|
3 | |
| Get Time | type = Ticks, time = 225842 |
|
3 | |
| Get Time | type = Ticks, time = 226123 |
|
3 | |
| Get Time | type = Ticks, time = 226263 |
|
3 | |
| Get Time | type = Ticks, time = 226310 |
|
3 | |
| Get Time | type = Ticks, time = 226357 |
|
3 | |
| Get Time | type = Ticks, time = 226404 |
|
3 | |
| Get Time | type = Ticks, time = 226451 |
|
3 | |
| Get Time | type = Ticks, time = 226497 |
|
3 | |
| Get Time | type = Ticks, time = 226544 |
|
3 | |
| Get Time | type = Ticks, time = 226591 |
|
3 | |
| Get Time | type = Ticks, time = 226638 |
|
3 | |
| Get Time | type = Ticks, time = 226685 |
|
3 | |
| Get Time | type = Ticks, time = 226731 |
|
3 | |
| Get Time | type = Ticks, time = 226778 |
|
3 | |
| Get Time | type = Ticks, time = 226825 |
|
3 | |
| Get Time | type = Ticks, time = 226872 |
|
1 | |
| Get Time | type = Ticks, time = 227527 |
|
2 | |
| Get Time | type = Ticks, time = 227605 |
|
4 | |
| Get Time | type = Ticks, time = 227745 |
|
3 | |
| Get Time | type = Ticks, time = 227808 |
|
3 | |
| Get Time | type = Ticks, time = 227870 |
|
3 | |
| Get Time | type = Ticks, time = 227933 |
|
3 | |
| Get Time | type = Ticks, time = 227979 |
|
3 | |
| Get Time | type = Ticks, time = 228026 |
|
3 | |
| Get Time | type = Ticks, time = 228073 |
|
3 | |
| Get Time | type = Ticks, time = 228120 |
|
3 | |
| Get Time | type = Ticks, time = 228213 |
|
3 | |
| Get Time | type = Ticks, time = 228291 |
|
3 | |
| Get Time | type = Ticks, time = 228354 |
|
3 | |
| Get Time | type = Ticks, time = 228401 |
|
3 | |
| Get Time | type = Ticks, time = 228447 |
|
3 | |
| Get Time | type = Ticks, time = 228494 |
|
3 | |
| Get Time | type = Ticks, time = 228541 |
|
3 | |
| Get Time | type = Ticks, time = 228588 |
|
3 | |
| Get Time | type = Ticks, time = 228635 |
|
3 | |
| Get Time | type = Ticks, time = 228697 |
|
3 | |
| Get Time | type = Ticks, time = 228993 |
|
3 | |
| Get Time | type = Ticks, time = 229040 |
|
3 | |
| Get Time | type = Ticks, time = 229103 |
|
3 | |
| Get Time | type = Ticks, time = 229149 |
|
3 | |
| Get Time | type = Ticks, time = 229196 |
|
3 | |
| Get Time | type = Ticks, time = 229259 |
|
3 | |
| Get Time | type = Ticks, time = 229305 |
|
3 | |
| Get Time | type = Ticks, time = 229352 |
|
3 | |
| Get Time | type = Ticks, time = 229399 |
|
3 | |
| Get Time | type = Ticks, time = 229446 |
|
3 | |
| Get Time | type = Ticks, time = 229493 |
|
3 | |
| Get Time | type = Ticks, time = 229539 |
|
3 | |
| Get Time | type = Ticks, time = 229602 |
|
3 | |
| Get Time | type = Ticks, time = 229649 |
|
3 | |
| Get Time | type = Ticks, time = 229695 |
|
3 | |
| Get Time | type = Ticks, time = 229742 |
|
3 | |
| Get Time | type = Ticks, time = 229805 |
|
3 | |
| Get Time | type = Ticks, time = 229851 |
|
3 | |
| Get Time | type = Ticks, time = 229898 |
|
3 | |
| Get Time | type = Ticks, time = 229945 |
|
3 | |
| Get Time | type = Ticks, time = 230007 |
|
3 | |
| Get Time | type = Ticks, time = 230054 |
|
3 | |
| Get Time | type = Ticks, time = 230101 |
|
3 | |
| Get Time | type = Ticks, time = 230148 |
|
3 | |
| Get Time | type = Ticks, time = 230195 |
|
3 | |
| Get Time | type = Ticks, time = 230273 |
|
3 | |
| Get Time | type = Ticks, time = 230319 |
|
3 | |
| Get Time | type = Ticks, time = 230366 |
|
3 | |
| Get Time | type = Ticks, time = 230413 |
|
3 | |
| Get Time | type = Ticks, time = 230460 |
|
3 | |
| Get Time | type = Ticks, time = 230507 |
|
3 | |
| Get Time | type = Ticks, time = 230585 |
|
3 | |
| Get Time | type = Ticks, time = 230647 |
|
1 | |
| Register Hook | type = WH_MSGFILTER, hookproc_address = 0x729a1e09 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 | |
| Open | mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, desired_access = SYNCHRONIZE |
|
2 | |
| Open | mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, desired_access = SYNCHRONIZE |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = PROGRAMFILES, result_out = C:\Program Files (x86) |
|
1 |
Process #9: document.exe
147
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x81c (c:\users\aetadzjz\appdata\roaming\document\document.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00226fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00347fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00357fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01e9ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01f7efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x020f0000 | 0x02a1ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002a20000 | 0x02a20000 | 0x02e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x2474ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x0ae20fff | Private Memory | rw |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77780000 | 0x777fafff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | os_pid = 0xb6c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (58)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | base_address = 0x0 |
|
1 | |
| Load | shell32 | base_address = 0x76b00000 |
|
1 | |
| Load | user32 | base_address = 0x77820000 |
|
1 | |
| Load | advapi32 | base_address = 0x76490000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
3 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x75460000 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x762b434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76724c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76736fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x767401a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7673699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76746ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76766c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7673dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76747fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76737a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76740355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7784b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x7549266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x75492542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x75491d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x7549238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x754920c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x75491fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x75491e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x75491f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x75491ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x7549216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x754922be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x754921e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7785ec88 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Document | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | Document | class_name = TApplication, index = 18446744073709551612, new_long = 2166767 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (77)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 452, y_out = 497 |
|
15 | |
| Get Cursor | x_out = 667, y_out = 497 |
|
17 | |
| Get Cursor | x_out = 882, y_out = 497 |
|
5 | |
| Sleep | duration = 172 milliseconds (0.172 seconds) |
|
36 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Debug (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 | |
| Check for Presence | c:\users\aetadzjz\appdata\roaming\document\document.exe | - |
|
1 |
Process #10: iexplore.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\program files (x86)\internet explorer\iexplore.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Crashed |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0xa38 (c:\users\aetadzjz\appdata\roaming\document\document.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| iexplore.exe | 0x00290000 | 0x00335fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x400000, size = 4096 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x401000, size = 249856 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x43e000, size = 0 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x442000, size = 4096 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | os_tid = 0xad8, address = 0x77e301c4 |
|
1 |
Process #11: iexplore.exe
463
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\program files (x86)\internet explorer\iexplore.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x35c |
| Parent PID | 0xa38 (c:\users\aetadzjz\appdata\roaming\document\document.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F0
0x
7E0
0x
144
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001bbfff | Private Memory | rw |
|
|
|
- |
| scrrun.dll | 0x001b0000 | 0x001c4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| msvbvm60.dll | 0x001f0000 | 0x00209fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00442fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0052efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00937fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| iexplore.exe | 0x00ac0000 | 0x00b65fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x020fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x024fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02500000 | 0x027cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02d70000 | 0x0369ffff | Memory Mapped File | r |
|
|
|
- |
| msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x75360000 | 0x75454fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x75570000 | 0x75599fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x755a0000 | 0x755b1fff | Memory Mapped File | rwx |
|
|
|
- |
| shacct.dll | 0x755c0000 | 0x755ddfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x755e0000 | 0x755e7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x757a0000 | 0x757a4fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x757b0000 | 0x757ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x757f0000 | 0x7584efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x400000, size = 4096 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x401000, size = 249856 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x43e000, size = 0 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x442000, size = 4096 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #8: c:\users\aetadzjz\appdata\roaming\document\document.exe | 0x94c | os_tid = 0xf0, address = 0x77e301c4 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp | 48.05 KB |
MD5:
343fa15c150a516b20cc9f787cfd530e
SHA1: 369e8ac39d762e531d961c58b8c5dc84d19ba989 SHA256: d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524 SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscD:wjE+132lhisKZdltWeks9Ru6nsQscD |
|
|
| C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | 48.05 KB |
MD5:
a634cb7eb39b833d885186b5ba1023f2
SHA1: c12e1a24fe39d4017ca8bade72dce2f128ca1f46 SHA256: 8806d6fd705d67f18eaa6c95806d405cd3a3a56e41636958a408973f602daebf SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscL:wjE+132lhisKZdltWeks9Ru6nsQscL |
|
|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
| c:\users\aetadzjz\appdata\roaming\i5e1s5g4-f4t3-t1y3-b4i3-k5w2v3b0v441\i5e1s5g4-f4t3-t1y3-b4i3-k5w2v3b0v441 | 0.09 KB |
MD5:
7492126839f1d745231d8524f3dc1b93
SHA1: 76d4656a1de53b264e6a60b76b50eb16aab78875 SHA256: 8243ac68e751f62f873e2ca5ed944e8f1a5056142ae3d9fc72156e84ec1e2f4a SSDeep: 3:zQbHv0Ucd14JLgPuIxKiMq49FA6n:zQbH8Ucd14JLEtMhA6 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Roaming\svchost.exe | 693.00 KB |
MD5:
7cd1dbbd8457d59274642c9a6e3e60dd
SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2 |
|
|
Host Behavior
File (47)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 | - |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | type = time |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp | type = file_type |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | size = 65024, size_out = 65024 |
|
10 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | size = 65024, size_out = 59392 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | size = 65024, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp | size = 49208 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe | size = 65024 |
|
10 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe | size = 59392 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | size = 14 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut | size = 49192 |
|
1 |
Registry (8)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
2 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 222, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = 7173956, size = 222, type = REG_SZ |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = 7171660, size = 222, type = REG_SZ |
|
1 |
Module (212)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | OLEAUT32.DLL | base_address = 0x76720000 |
|
1 | |
| Load | VERSION.DLL | base_address = 0x74ba0000 |
|
1 | |
| Load | SXS.DLL | base_address = 0x757f0000 |
|
1 | |
| Load | KERNEL32 | base_address = 0x76220000 |
|
10 | |
| Load | kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Load | OLE32 | base_address = 0x75cf0000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x76490000 |
|
2 | |
| Load | advapi32 | base_address = 0x76490000 |
|
10 | |
| Load | kernel32 | base_address = 0x76220000 |
|
6 | |
| Load | user32.dll | base_address = 0x77820000 |
|
16 | |
| Load | ws2_32.dll | base_address = 0x76450000 |
|
6 | |
| Load | user32 | base_address = 0x77820000 |
|
4 | |
| Load | Shell32 | base_address = 0x76b00000 |
|
2 | |
| Load | User32.dll | base_address = 0x77820000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
3 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75cf0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260 |
|
3 | |
| Get Filename | - | process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 |
|
4 | |
| Get Filename | private_0x0000000000400000 | process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x76235235 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x767870a1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x76733dcf |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x767307b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76751ca9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x76738e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x76737684 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x7673cc98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7676903a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x76736231 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x76735fea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x76743f94 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x76744e9e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7676db72 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76752a8c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7676d737 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7676e015 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7676cc3d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7676d1c4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7676d48c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7676d4c6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7676d509 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x7673e7bb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x7673e496 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x7673ddf1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7676d53f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76772055 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x767720ea |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76772151 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x767721f5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76772288 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76772335 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x767723d5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x767459b4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7679ef07 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7679ef47 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7679ea66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7679ca11 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7679cc5f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7679cde7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7679d155 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76755f3e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x76744fd0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x76740d2c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x767559ed |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x7672f8b8 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75d39d4e |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75d00782 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueA, address_out = 0x74ba1b72 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeA, address_out = 0x74ba1c9c |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoA, address_out = 0x74ba1ced |
|
1 | |
| Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75837685 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x77843150 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x7785e7a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x77845281 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x76231245 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x76231222 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetProcessDEPPolicy, address_out = 0x7624eb9a |
|
2 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateGuid, address_out = 0x75d315d5 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = StringFromGUID2, address_out = 0x75d322ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x764a4304 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueA, address_out = 0x764a404a |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x764a418e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76231410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexA, address_out = 0x76234c6b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x76231136 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x76231b18 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x76234259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x762310ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x7624d4f7 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x764a1514 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x764a14d6 |
|
3 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x764a469d |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlMoveMemory, address_out = 0x77e83c40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetTimer, address_out = 0x778379fb |
|
3 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x76453ab2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7783d22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowLongA, address_out = 0x77846110 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x76234467 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 261, address_out = 0x76d71a5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExW, address_out = 0x77838a29 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterRawInputDevices, address_out = 0x778988eb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterWindowMessageW, address_out = 0x77839ebd |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 181, address_out = 0x76b03b3a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetClipboardViewer, address_out = 0x7784c4b6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageA, address_out = 0x7784612e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CallWindowProcA, address_out = 0x7784792f |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x76452d8b |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x7645311b |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x76453eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x76456bdd |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x76453918 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetLastInputInfo, address_out = 0x7784b382 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetRawInputData, address_out = 0x7789836f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = PostMessageA, address_out = 0x77843baa |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetClassNameW, address_out = 0x778382a9 |
|
3 | |
| Get Address | c:\windows\syswow64\user32.dll | function = KillTimer, address_out = 0x778379db |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DestroyWindow, address_out = 0x77839a55 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (11)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderRT6Main, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = VBFocusRT6, wndproc_parameter = 0 |
|
1 | |
| Create | Source | wndproc_parameter = 0 |
|
1 | |
| Create | SOCKET_WINDOW | class_name = STATIC, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = EDIT, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = VBMsoStdCompMgr, index = 0, new_long = 3940508 |
|
1 | |
| Set Attribute | Source | index = 18446744073709551600, new_long = 33554432 |
|
1 | |
| Set Attribute | SOCKET_WINDOW | class_name = STATIC, index = 18446744073709551612, new_long = 4206032 |
|
1 | |
| Set Attribute | - | class_name = EDIT, index = 18446744073709551612, new_long = 4211776 |
|
1 | |
| Set Attribute | - | class_name = EDIT, index = 18446744073709551612, new_long = 18446744073709486703 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 |
System (167)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 50 milliseconds (0.050 seconds) |
|
2 | |
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
1 | |
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
6 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
6 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-05 09:30:14 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 232581 |
|
4 | |
| Get Time | type = Ticks, time = 233658 |
|
3 | |
| Get Time | type = Ticks, time = 236965 |
|
6 | |
| Get Time | type = Ticks, time = 237589 |
|
4 | |
| Get Time | type = Ticks, time = 238790 |
|
4 | |
| Get Time | type = Ticks, time = 238821 |
|
4 | |
| Get Time | type = Ticks, time = 239742 |
|
3 | |
| Get Time | type = Ticks, time = 240350 |
|
9 | |
| Get Time | type = Ticks, time = 240366 |
|
3 | |
| Get Time | type = Ticks, time = 242597 |
|
4 | |
| Get Time | type = Ticks, time = 243876 |
|
3 | |
| Get Time | type = Ticks, time = 246731 |
|
3 | |
| Get Time | type = Ticks, time = 246746 |
|
3 | |
| Get Time | type = Ticks, time = 246762 |
|
3 | |
| Get Time | type = Ticks, time = 246918 |
|
3 | |
| Get Time | type = Ticks, time = 247043 |
|
3 | |
| Get Time | type = Local Time, time = 2018-11-05 09:30:30 (Local Time) |
|
6 | |
| Get Time | type = Ticks, time = 247355 |
|
3 | |
| Get Time | type = Ticks, time = 247370 |
|
3 | |
| Get Time | type = Ticks, time = 247604 |
|
4 | |
| Get Time | type = Ticks, time = 248883 |
|
1 | |
| Get Time | type = Ticks, time = 248899 |
|
4 | |
| Get Time | type = Ticks, time = 249398 |
|
3 | |
| Get Time | type = Ticks, time = 250319 |
|
9 | |
| Get Time | type = Ticks, time = 250334 |
|
3 | |
| Get Time | type = Ticks, time = 250350 |
|
6 | |
| Get Time | type = Ticks, time = 250366 |
|
3 | |
| Get Time | type = Ticks, time = 250381 |
|
6 | |
| Get Time | type = Ticks, time = 250397 |
|
6 | |
| Get Time | type = Ticks, time = 250490 |
|
6 | |
| Get Time | type = Ticks, time = 251426 |
|
3 | |
| Get Time | type = Ticks, time = 252440 |
|
3 | |
| Get Time | type = Ticks, time = 252612 |
|
4 | |
| Get Time | type = Local Time, time = 2018-11-05 09:30:37 (Local Time) |
|
2 | |
| Register Hook | type = WH_MSGFILTER, hookproc_address = 0x729a1e09 |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | - |
|
1 | |
| Create | mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #12: document.exe
119
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb6c |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\roaming\document\document.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00226fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x0059efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00837fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x01dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01ecffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x020f0000 | 0x02a1ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002a20000 | 0x02a20000 | 0x02e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| version.dll | 0x74ba0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75460000 | 0x754e3fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77780000 | 0x777fafff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Module (53)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77820000 |
|
3 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x75460000 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x762b434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76724c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7679c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7679ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76745934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7679d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7679dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7679e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7679f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7679f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76745a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7679ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7679ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7673b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76736fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x767401a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7673699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76746ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76766c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7673dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76747fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76737a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76740355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x77844413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7784451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7784b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x7549266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x75492542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x75491d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x7549238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x754920c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x75491fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x75491e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x75491f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x75491ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x7549216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x754922be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x754921e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7785ec88 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Document | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | Document | class_name = TApplication, index = 18446744073709551612, new_long = 2166767 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (57)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 667, y_out = 523 |
|
27 | |
| Sleep | duration = 172 milliseconds (0.172 seconds) |
|
26 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
Process #13: wscript.exe
92
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\wscript.exe |
| Command Line | "C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:53, Reason: Autostart |
| Unmonitor | End Time: 00:05:11, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x568 |
| Parent PID | 0x46c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
56C
0x
5C0
0x
5D4
0x
61C
0x
658
0x
6D0
0x
6D8
0x
6E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x001e0000 | 0x001e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x002f0000 | 0x0036cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003cefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| document.vbs | 0x003f0000 | 0x003f0fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x003f0000 | 0x00434fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| document.vbs | 0x00400000 | 0x00400fff | Memory Mapped File | r |
|
|
|
|
| wshom.ocx | 0x00400000 | 0x00413fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00450000 | 0x00453fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x00470000 | 0x0048ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x004b0000 | 0x004b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ce0000 | 0x01ce0000 | 0x02022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x021bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02130fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x021bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021c0000 | 0x021c0000 | 0x022bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022e0000 | 0x022e0000 | 0x023dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x023e0000 | 0x026aefff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x026b0000 | 0x026dffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x026e0000 | 0x02745fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000028a0000 | 0x028a0000 | 0x0389ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x0399ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b60000 | 0x03b60000 | 0x03c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003cd0000 | 0x03cd0000 | 0x03dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003dd0000 | 0x03dd0000 | 0x041c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000042a0000 | 0x042a0000 | 0x0439ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77100000 | 0x771f9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77200000 | 0x7731efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77320000 | 0x774c8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wscript.exe | 0xffe70000 | 0xffe9bfff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x7fef5c40000 | 0x7fef5c73fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x7fef5c80000 | 0x7fef5ca7fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x7fef5ec0000 | 0x7fef5efbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fef6150000 | 0x7fef61effff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x7fef7320000 | 0x7fef733cfff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x7fef7440000 | 0x7fef744afff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x7fef77c0000 | 0x7fef7859fff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8550000 | 0x7fef8583fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefa5c0000 | 0x7fefa616fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7fefa7f0000 | 0x7fefa807fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefaf70000 | 0x7fefaf87fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefb350000 | 0x7fefb3a5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefbb80000 | 0x7fefbd73fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbfd0000 | 0x7fefbffcfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc030000 | 0x7fefc15bfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc430000 | 0x7fefc43bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefc860000 | 0x7fefc8a6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefcb80000 | 0x7fefcb96fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd130000 | 0x7fefd154fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd160000 | 0x7fefd16efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7fefd170000 | 0x7fefd200fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd270000 | 0x7fefd27efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd310000 | 0x7fefd31efff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7fefd320000 | 0x7fefd359fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd360000 | 0x7fefd379fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd380000 | 0x7fefd3eafff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd490000 | 0x7fefd5f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd600000 | 0x7fefd635fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7fefd640000 | 0x7fefd716fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7fefd720000 | 0x7fefd849fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7fefd850000 | 0x7fefd9c7fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefd9d0000 | 0x7fefd9ddfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7fefd9e0000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefda80000 | 0x7fefdb48fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7fefdb50000 | 0x7fefdbe6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdc00000 | 0x7fefe987fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7fefe990000 | 0x7fefe9e1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefe9f0000 | 0x7fefebf2fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefecd0000 | 0x7fefedd8fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7fefede0000 | 0x7feff038fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff060000 | 0x7feff07efff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff080000 | 0x7feff15afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff160000 | 0x7feff1fefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff200000 | 0x7feff32cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7feff330000 | 0x7feff35dfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff360000 | 0x7feff536fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff5b0000 | 0x7feff620fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff640000 | 0x7feff640fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (4)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | wsCripT.ShEll | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | type = size |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | size = 141, size_out = 141 |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\.vbs | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.vbs | data = VBSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\VBSFile\ScriptEngine | data = VBScript, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (21)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x77200000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fefe9f0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7feff080000 |
|
1 | |
| Load | shell32.dll | base_address = 0x7fefdc00000 |
|
1 | |
| Get Handle | c:\windows\system32\wscript.exe | base_address = 0xffe70000 |
|
3 | |
| Get Handle | c:\windows\system32\ole32.dll | base_address = 0x7fefe9f0000 |
|
1 | |
| Get Filename | c:\windows\system32\wscript.exe | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x7721c4a0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7fefea17490 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7feff09e470 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7feff09f9b0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7feff09f660 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x7fefea0a4c4 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetClassObject, address_out = 0x7fefea22e18 |
|
1 | |
| Get Address | c:\windows\system32\wscript.exe | function = 1, address_out = 0xffe7d7f8 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteExW, address_out = 0x7fefdc27c70 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, protection = PAGE_READONLY, maximum_size = 141 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs | process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 4479568 |
|
1 |
System (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Get Time | type = System Time, time = 2018-11-05 09:32:20 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 27066 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-05 09:32:22 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 29203 |
|
1 | |
| Get Time | type = Ticks, time = 29998 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-05 09:32:28 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 35037 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-05 09:32:30 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 36395 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-05 09:32:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 38828 |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory, result_out = õ. |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Process #14: document.exe
66
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\aetadzjz\appdata\roaming\document\document.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:05:10, Reason: Child Process |
| Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6ec |
| Parent PID | 0x568 (c:\windows\system32\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00276fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| document.exe | 0x00400000 | 0x004b2fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00897fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x01e2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x01f0efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02130000 | 0x02a5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002a60000 | 0x02a60000 | 0x02e52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x2478ffff | Private Memory | - |
|
|
|
- |
| dwmapi.dll | 0x739f0000 | 0x73a02fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73a10000 | 0x73a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73b80000 | 0x73c03fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73c10000 | 0x73c18fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73c30000 | 0x73c37fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73c40000 | 0x73c9bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73ca0000 | 0x73cdefff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75050000 | 0x7505bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75060000 | 0x750bffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x750f0000 | 0x7524bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75250000 | 0x752effff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x753f0000 | 0x754dffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x754e0000 | 0x76129fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76130000 | 0x7622ffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x76230000 | 0x76239fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x764a0000 | 0x765affff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76640000 | 0x766cefff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x766d0000 | 0x766e8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x766f0000 | 0x76735fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x76740000 | 0x767bafff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76ca0000 | 0x76cfffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76df0000 | 0x76ebbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76ec0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76f70000 | 0x76fc6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x76fd0000 | 0x7706cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77070000 | 0x770fffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077100000 | 0x77100000 | 0x771f9fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077200000 | 0x77200000 | 0x7731efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77320000 | 0x774c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77500000 | 0x7767ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Module (53)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\document\document.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x764a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76640000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x76130000 |
|
3 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x73b80000 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\aetadzjz\appdata\roaming\document\document.exe | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN | process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x7653434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76644c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x766bc802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x766bec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76665934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x766bd332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x766bdbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x766be405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x766bf00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x766bf15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76665a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x766becfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x766bee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7665b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76656fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x766601a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7665699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76666ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76686c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7665dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76667fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76657a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76660355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x76154413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x76147d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7615451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7615b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x73bb266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x73bb2542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x73bb1d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x73bb238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x73bb20c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x73bb1fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x73bb1e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x73bb1f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x73bb1ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x73bb216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x73bb22be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x73bb21e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7616ec88 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Document | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | Document | class_name = TApplication, index = 18446744073709551612, new_long = 2494447 |
|
1 |
Keyboard (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
