1f8feaadbc4921aae2e51ad6d43513a915bd6081ca7bcc65b412f30ef8f155da (SHA256)
whzqnu.exe
Windows Exe (x86-32)
Created at 2019-01-14 07:50:00
Notifications (1/1)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: whzqnu.exe
16899
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\whzqnu.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:21, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:21, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x948 |
| Parent PID | 0x458 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
904
0x
940
0x
ABC
0x
B00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x000d0000 | 0x0010bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00150000 | 0x0020ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00480fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00f80000 | 0x0124efff | Memory Mapped File | r |
|
|
|
- |
| whzqnu.exe | 0x013a0000 | 0x0147afff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001480000 | 0x01480000 | 0x0287ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002880000 | 0x02880000 | 0x02c8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002880000 | 0x02880000 | 0x02c72fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002c90000 | 0x02c90000 | 0x0309ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x74c30000 | 0x74c6afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74c70000 | 0x74c85fff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x74d80000 | 0x74d82fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x750f0000 | 0x750fcfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75100000 | 0x75108fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x75110000 | 0x7511afff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75120000 | 0x7512efff | Memory Mapped File | rwx |
|
|
|
- |
| davclnt.dll | 0x75130000 | 0x75146fff | Memory Mapped File | rwx |
|
|
|
- |
| ntlanman.dll | 0x75150000 | 0x75163fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75160000 | 0x7516efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x751e0000 | 0x751f8fff | Memory Mapped File | rwx |
|
|
|
- |
| davhlpr.dll | 0x751e0000 | 0x751e7fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x751f0000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75200000 | 0x75210fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| drprov.dll | 0x75270000 | 0x75277fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.mdk4y | 1.35 KB |
MD5:
bceb474e3d6d7bb73799ab35d66623fb
SHA1: 17911b56e34dd4a0e414d2b447d513a3d8e37f32 SHA256: 1b3d72a0b15b8daee71da107ee605c4f46f3628ce43f18d36096e95e75218d07 SSDeep: 24:bFVPiPip/qIMcbGV+KxNeeTOw+sIDJjf6ZeFW1+wrQXIJalHeXMwL2+29Zp:6GPMOa1keIsIVjfEWwEUfX7LJ29D |
|
|
| C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.mdk4y | 2.41 MB |
MD5:
9ee2324601abb5c0e67c0f106dd5bb8f
SHA1: 46e5552bf9d9eb779bf1bee7d64c6a70367c01e7 SHA256: 848a69d5bb9facc1d35ab9a66d55965b0d6c09857fe72e831532bc9a1dfb9c0a SSDeep: 49152:SKK4tU2yBNHYeAG1vkRdTex4S120ytJyhaM6CLC:SlB2yBtJAG1kW1o |
|
|
| C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.mdk4y | 1.53 KB |
MD5:
5f36bdb35589d1235aabab123a7f979b
SHA1: 0cd0eb1f47a08ef66122eeb00d61baeaa447d915 SHA256: daf603a2258e8eb2f0469118c0857d90a2f8f76ae7b8d0e3031f65e41262c135 SSDeep: 24:b+ByWCKKapXDZYMhDdCrxYiopz5eoV4oAurt0i6fEpo2ugSPgoTPuzNUy:SBNwqnhDdcYfV5hAaSEy2bSPxc |
|
|
| C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 2.24 KB |
MD5:
542a2ee068b10a1558779a7c5fa80938
SHA1: c38dc41c4cf49c1c5e70742e27175b926952e6b1 SHA256: 4af1d12eb7d9b67fe9b34cd38507ec1ac4b967e3e55eeb16713619c86af16c3c SSDeep: 48:4SsiluFy1BA0yomgoi9xhiphdCeRjiys2/NCYlsyl:4Ss+u4AAP9x8XiyTNnh |
|
|
| C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.mdk4y | 1.42 KB |
MD5:
57fa2c381fd57ff56f421b4f16ef8474
SHA1: 743f5dd00b2b68332c3e2f3c581e1b366bd4e7b2 SHA256: 9daddd088b01690a4fa7ab01597feff4f7ca0e401e0ff20d8c85b4d29f7e11df SSDeep: 24:brGvbG/1bY1eTkEE3dV57rz3LRl1bcRx8b7yAyaq1VqprEkyARaMsgP5yawXy:nGv4TkjdrXRbcRx8HyAW6prpyQaFgPjr |
|
|
| C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\HOW_TO_RETURN_FILES.txt | 1.70 KB |
MD5:
68a599594512849a9f317ecf60bb78d9
SHA1: 0ebadb01c35a3f4c63ad1503fc0327d821d57239 SHA256: 9e6fd7630008397d8b53cdb58ff2a8a0ed0af182b912666f319c8da3c9e7584c SSDeep: 48:HD6AhpU+hTdPlq98l18YpdpCzs1LaEXczVG:j6AhP5VpV1Ltsz0 |
|
|
| C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.mdk4y | 10.00 MB |
MD5:
c979e2e5278676e25fe6697866cb6df8
SHA1: 50e4235bdf5ba0be0caadd25f83e84ee3b8300af SHA256: 2ebac260b0a328f9b1fd3e2614edbbe70155f20ceb1d4157084b7a2b03490963 SSDeep: 196608:kI/A15gSG4KKCX5FvaeoDcBdxmOJR7nxOKOmE7dzaNQwr:kd5G4KKCX5FvaVczxmUJnYSE7dzAT |
|
|
| C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.mdk4y | 10.00 MB |
MD5:
fc740d42312a6ad882a24ba862753398
SHA1: f692faee449caef44bd3e4fefd9b25194d4636aa SHA256: 290f7eabb312eae60f5f3c1ab9e912fb10e0304376033e8a1bbf90dfa3492f8b SSDeep: 196608:/xssSw7YM4k8IMj3kMxfGbWaxJMKMA4JxuiNQG3A2r7rfiSFhysD8uxDxKj:ptJn8IQkM2BFEx96G3AUf7FnzKj |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.mdk4y | 10.00 MB |
MD5:
44ee0260334a499bb2b6e7e5acb0563c
SHA1: 02c12adeec1d57f212aa4e3687d116cb2b8fb092 SHA256: 02a9aaf17882924e28600edbf786e254cd3f3202eb2f50d2d293f16b8564cd9a SSDeep: 196608:S2t3U6eDsIwHBL4B9lCzT2bOgBoDuihGYrLpVUBJ/7HAFGtNy6aMhnRTU+:SW5qsIwHNB26gfE7e/7JNMM5RTU+ |
|
|
| C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.mdk4y | 2.73 MB |
MD5:
128fb4991c8ebc1190fd8d2dee19d3f8
SHA1: c230aa5270abc53464f21a558c72bdb955f9a7c3 SHA256: e45e75d2f724df92ffc52e9485f40b539f80646d3a2c390e231327ae7be97ee7 SSDeep: 49152:Ii8yH5RbjwIvXXJzkuPpEmsskLljb1R6rOSN20yRJ63PooFMP+:I14BjwIp7Km66vj |
|
|
| C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.mdk4y | 1.76 KB |
MD5:
f8f141b2602998cf4ad6f941f8c9af40
SHA1: 2631f51ec2ce22655b4d72bc7dec65b2379d04ed SHA256: 001e0176c3422bf7e605543311a0e6571c5e50d8b0209abe75752363ef2d9f1d SSDeep: 48:agADcE/Md16x4KFGja3BscyjUOGgsRHnO9:SRMd16VFGG3aJ3sRI |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.mdk4y | 1.42 KB |
MD5:
3de99edd0b54a4237bd2ef57a5d3d34d
SHA1: f576f356ae0d59618259c883e50215e82f3eb1cf SHA256: a6000c1bf01f440f159fe30f6353c2592d1ac8eb1f4cbaa19cc0abdced55f6ba SSDeep: 24:bPpTYfypEbhfkFT45yv9tqIkdw7OThF4dvVfHpptaLApQHyFaOzMKezszsJ7M5wh:VYdbV87tqIU2OTj4ddvpmLApSErasUL5 |
|
|
| C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.mdk4y | 853.50 KB |
MD5:
16cff5daa2ae88f65b5485ca4b4f3515
SHA1: f2e3bc7711e99abb5f3e8fb08be7c317339e9d79 SHA256: 42335970200998d81d9d795380368e13250d799d40b4c2b2c0bf61d8235c69c3 SSDeep: 12288:6gji6K/2Frks5pIVN7UXecM+3X227o/qgn2hsDZ9Ccp/s4GFmvC5Hpv9pNXPRW2Z:R73/aNQXX3Xny6sTCw/8m+RNIt1U |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.mdk4y | 1.32 KB |
MD5:
37342a6a3776541753f14e8f533fd9d2
SHA1: 14c17dd6f70978dc9496065e435cbce55a59e163 SHA256: 88f65741f00c72a7443e8cf052131f4f94da8893785380a5475106d81f6bf99c SSDeep: 24:bKrN60WsEfosZVzWzVpIM907O7V9R2Z3hdKYe/B3PZrzR/EMG4Si9:erDWsEzaEMSO7V7abMB3ZzR8MG5k |
|
|
| C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 2.31 KB |
MD5:
1825028fec64ea2d4caa6f5dba5951eb
SHA1: 2d94f1fe648170d404e0a94771967694bed7470c SHA256: 594f166908306d8440cac0e731c012972c4ddbd63b9f736366d00c55a851390f SSDeep: 48:2vM76L6m6MvAEAiC1iHoKpO0HX34Tcyi9whVd9Xr18nH+e7DRoHm:onL6m6EA3LkhHX34g1whP9B8nH+s2Hm |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.mdk4y | 1.42 KB |
MD5:
d11877854336ff2d4944846506277181
SHA1: 8e169e43db0fca3aa00e693c5eb22e55f92ec74b SHA256: db182c76340ba1f0e0eaeee2c7525261161361ebf2cb35ad370fc82443ea0081 SSDeep: 24:bNu9ODIkWd3qTKeWQC31F8hP4qEsvsjbh7m558hU9U4KHY8Ap270y2dhk85K2GX2:RYEe3qTKeWQC378d4qM+8hU92Yl2YWTQ |
|
|
| C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.mdk4y | 10.00 MB |
MD5:
6ee1074893e3b3323b7b8c0f0eb917ab
SHA1: 5a82c5905a0a08a9b452e17df8d7fbe4d6c4f052 SHA256: 38c48e03861236dc15fd1e7a419565d687022445321015c8efd6e350da717476 SSDeep: 196608:Z2onYmqQNVAl+ig71eZ8FclBElWHp8byLbyo9crpLlR8ioLO0ZF9CrpbQ:ILmqyL71eiFgepGHyo2rpLkcoCrpbQ |
|
|
| C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.mdk4y | 1.42 KB |
MD5:
f78a1b144957433d19e735e33938f4b5
SHA1: c8f082e2882020168c3edf21c5be3a413fb8f946 SHA256: d5e3263c19f4de06db4ed0b0b610c540ccc8525031b2a1e9a2525d5a59c6ddb0 SSDeep: 24:bqmJnRdUHlkQlaIoXqx59sLdpk1W06tb+ID9EpcGBO+0JksXZfL8jxHZC5AM/CjF:lRdUHeivJ0rk1iJzD9M7c1XFw9HQb/sF |
|
|
| Log | 0.19 KB |
MD5:
3b781dcca5b3dc03d73822fda2ddd26f
SHA1: 30656d062183857533b93ab32316c16426921285 SHA256: c960d140797ebb77f392d84050b7de0816ccec52101a8c1075c84d375e855eec SSDeep: 3:qFVAgvL9v+ScnBHyqFAHy6yqFAHy6yqFAHy6y6yqFAVWm2ovn:qvAqLN+SaBHZAHtZAHtZAHttZAln |
|
|
| C:\Boot\BOOTSTAT.DAT.mdk4y | 64.00 KB |
MD5:
76637118408f39086f41ae2ae23bef4c
SHA1: 1f396ffbb7df1096484b9b44b1e1ce11467074b5 SHA256: 10188489b1ea6d487f8e075a3694b5dbe4271756fdf3c312b8391f4d32f3638d SSDeep: 1536:hm8HHR1g1xls2kdkvvP2pl0eykBBMQ3B0rSW6Ma9JHuz9Q:hm8nV2j3PilSk5erSUa9JHj |
|
|
| C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.mdk4y | 2.40 MB |
MD5:
be550420674fbcc52a58904b697a250b
SHA1: d4c5487d55291e0064004a4ab150e4815d4f93b4 SHA256: 753210f82d058effc8efa7a15580a0704eb72ca0912c9aabceaa3deb0240cf1d SSDeep: 49152:EDRRcPbWWPMMGtBjhdTex4S120ytJyhaLz6CCHm:EVRcZy3q1oL |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.mdk4y | 10.00 MB |
MD5:
f1efca2f46980667afe49e84ae57b4a1
SHA1: 4c919322c1299142cc68f520b4d05306cdd3f481 SHA256: 9128af3f1cab4f601ba1b52b25bf516c48eb7f8139606521494be5874d09cced SSDeep: 196608:ZSC4M+DiOm1j3/abCsYwFOSQo2eWDOQs4hW6s63HS:ETPZmN3/abtYIQo2OQ93RS |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.mdk4y | 848.50 KB |
MD5:
329b313de8334ac84ed192f0ba0a2175
SHA1: d95d4edd721b1f58f35d055785eb4f16c2b8d01c SHA256: 7a6306350568635d490d27c9e579b225bcd7654c85e9b7f87c951d5174059bc9 SSDeep: 24576:Z3I79pYEKa01YThltUiDzHP7YAeUPA61+Ddl4nITr:Z3I7vmXghltUiHP7FXPMDff |
|
|
| C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 4.11 KB |
MD5:
d52f3ce4c583c78d78081455ff046d1e
SHA1: b09989e533f1dd7a319dcc1df56752a1e69dccd5 SHA256: f67a4eddcaaa77308df904f898f913266702f288ec8d9b475568a50ec51b8388 SSDeep: 96:RhvtYmIeM1PFDayJZSizgXQdmtCB1U+p5eIRcW9eyWQiAgrPX/VN2mst:RNOmIeyFBZrkA6CB11WIRc7/PX/V2 |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.mdk4y | 0.79 KB |
MD5:
6997e2de1bf572f657031219842278d9
SHA1: f5e2027945b70bfc8ae4029c1ca9ef35f7fd4c70 SHA256: 9e867784f18a2d6090010ca81d920881b664d1312bc4a70e7332b76644bd19bb SSDeep: 12:bX8m4ZyXNk2NpLWDldDGIp/l3A4UC2G4D9lwORz68JJGY9Pm79Ol8CB5Nkb4mdcP:bVRDLaXGs3UQ4prlL9w59y |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.mdk4y | 860.50 KB |
MD5:
7d0e957ddba1983dfae9256c0044b9d8
SHA1: dad4d8ce8e623b9119a64d66fba9b8a0477cf94e SHA256: 3ac36c6bde9c5f310da190486033ebd64b187204b978f66911a95eb87c66e83f SSDeep: 12288:V5J18qyNngwBiQsPBCm2NUpA+eY/ft2ij8KY+WpNCq2J4dyUjP597ofjlv:f/CHqis/cehvq2J4dya1ofx |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.mdk4y | 865.00 KB |
MD5:
5c0ba21f7b65c5a99302667d69d6d404
SHA1: 7b0761fd8cf24f067123f609fcaff37069d571df SHA256: f7e1910143febd5be156748d4a9aa3560bc848357e704b5455c5d6b3a4d4e540 SSDeep: 12288:908QrHteGKXa5zNpIy5uZ9l8oRboPXjgb17SZNSnosyDgDjZrM/PvSqqFiGqLbCG:9NQLteBopCPZ9ld5XJZrM/Pvm4N9 |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 5.75 KB |
MD5:
2c0b02481bc24a5e11a065935340303f
SHA1: 2a76d837b92abe111ec460bb9e78bfc7c7a9fc7c SHA256: fbbd1987998aed9a4b884fb5ef4784f746587a2929a3fb8b1a23cf75687a861d SSDeep: 96:pHbGGLTOzg12PY8pJ3PFIHwmTMoqCS5Kb+s2hs555OevR+XKAV/6ZZrcWgF5Udp1:Rb1vOzg12/p3Mwm0Ls6sEeYV/6ZlBWSN |
|
|
| C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.mdk4y | 2.39 MB |
MD5:
0df18d0157f1cbeb73a810e229449835
SHA1: 3b621adfd75d87bfabd62869c38bd182c5691954 SHA256: 08583d6c0ddc80724f66df49d95a21f376eda35cf454f813c004fc5a6233c4fb SSDeep: 49152:jr/3ARBzFJ27ebkCHCdTex4S120ytJyha16CZt:lebtH1o |
|
|
| C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 1.84 KB |
MD5:
593e355f472d52501c80ff046ad53472
SHA1: 3843484d44b1427b32e9623c0ad309de2ad31ccf SHA256: 0427864578de27e098cff65e5d20af670c3cc9a5399ae258151b200691047622 SSDeep: 24:bjAXzHsoms9UMFbDpYgrKTmeJBetGTy6/WuwGulVSmpYSQ3a2ZtRMkq62TX28:HAXzMOJ9ze/DWf7S+LQZfRMkg7 |
|
|
| C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.mdk4y | 1.05 MB |
MD5:
0b28d8b1d142a480017b97d41240e3fe
SHA1: 758dd5a4a73817569e2e33c595fc7126a278fbef SHA256: ef58d07e286211ff562b6e8cffd956809a3fed89031a9909b0706d3b28a8ce61 SSDeep: 24576:vuCgjra7lJQyE2hGgdo60HiKKdPm5wHhuHQzGH0KryE/9hSCEn/:T5jjog8CPFiHoKryshSCE/ |
|
|
| C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 1.57 KB |
MD5:
5540a68c5b536ce11ba81dc423392660
SHA1: 81d2096889d9f67f41e0f92cbf0cad7893652e97 SHA256: ac2992bfa6d00485c7a7759aab319ed1c15cf7ee5514baefe36df7afed99af45 SSDeep: 48:MyBbFaktaILnHhQsr9mqKEnBS6BMyYayNz/t0:hbQknZ9HBS6BBYaI/t0 |
|
|
| C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.mdk4y | 3.11 KB |
MD5:
f2622575a9c0c786ff52f0cd16716c11
SHA1: 792046a368eb36651f98d8d4c2ae13b29ceaf043 SHA256: be59dc2fd9762ddddcf221884b423050579d94646cfba315cca9e2ac7fb67f9c SSDeep: 96:57ynn14sASbzVB6mfZwGCEJPl84+4npJtU3:s65SPVB68KiXLJk |
|
|
| C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.mdk4y | 9.50 MB |
MD5:
eee5b825cf736f65e2fe1855f1fbceef
SHA1: e2009d19ceb10651f66f7dbe2b2fdfb0eb9b2083 SHA256: 29f47ca0bd319b46fdd19d7bb0614078279b8851bd98a5f3a1ddf6ac422f4b2b SSDeep: 196608:M4+MUUvTYpH9lBl/tus7o4L7tZiTnp/jE4U/bxlLRx+c:Mv/UvTiJhU4L7tZiTnprP0txRsc |
|
|
| C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.mdk4y | 2.37 KB |
MD5:
f69ed81eb654d32c4d37e68cd483782c
SHA1: c5b05465a5d1c3888f5a335e5dff67270bb39f69 SHA256: 8b0729962afb832802d54b34d8d0f577753b95b1d51eedac3d1f445d6129336a SSDeep: 48:TWI/xpEXdlcvsQ9nbZWp9+I5bIBHYXVLaRmFgKpW2:ycxpE/t2l1INIBHeVdF82 |
|
|
| C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.mdk4y | 2.79 MB |
MD5:
4ddb0d4dda511ec7042154d99e1e3fb6
SHA1: 6927342ef4414a05f4da3c53ac5a4f6620ca3577 SHA256: 8c40a605bef98af7c46da25ffe223eb3ca582d53397e5e57cc1e93b7384b853d SSDeep: 49152:udBbZ/efNwRfLnYmJf+YoC59POSOwPFhbYRjfIDPHLoBTv5oJBB47q5FqciWDxQm:CbYlaDaC5VPFhbY12HLodiF4+5riWDem |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.mdk4y | 10.00 MB |
MD5:
92cd704d0a8bf51d2f3181db940bc22f
SHA1: d32cd24b6812e59211ccbeea724d71ff6727ce99 SHA256: 319d16c3f55f0fecb94354d0e4c0d56a83028f414efaf0801808d826014b504d SSDeep: 196608:N6lS4CjQR9g8YYIcjfX+vntQdQGzFZaGkGdN7p06H1JX/WanfW/OIV0h:AS4LR9YY5mvJGBZWGRz1kaza0h |
|
|
| C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.mdk4y | 855.00 KB |
MD5:
2ebecd806144364a8ac8d0bafa402e01
SHA1: 1d6e5b59f2eee24bce1ddd5f3bc789c976d5a0e4 SHA256: abf09f7a31f441874029ef9d378a0e0968817183d13f40c0e425fda9bc5d5f46 SSDeep: 24576:j7OfZN00F6nzP+hiGgjOEFNKcDBVD4YR9U:XORP6zJjdNKW34YR6 |
|
|
| C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.mdk4y | 2.39 MB |
MD5:
92fb5ae0a1307b123248fe3dc8247747
SHA1: 37cfb0f173a034789f58306dce91e97e90c638e3 SHA256: 1a6da5af565d2d05a96106722e9c51f45de544d47cabbf262af197f2c9e4b1d0 SSDeep: 49152:4nkMKgqy+d0Vj3kokYace79RLWYqEndTex4S120ytJyham6Co6:WVGy+KrkqaLLWL1o |
|
|
| C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.mdk4y | 10.00 MB |
MD5:
1df81fdc8b063439a43d0c93d6b53134
SHA1: 9e6ae8949ef60e19b55d5690bea45e8345885c6a SHA256: c482f17a43af62264ed51b1c03be1d1f18bf3840ee84002d616e55c94536ff22 SSDeep: 196608:GH6NusPQqb7fKP0ReD0wXKLUEfRrDXP2ifogB+jHcSBLWiyvyWJRMLhdPWfi:g6NuszDKP0q0wM9JrL2ifJEjhW/6vL3D |
|
|
Host Behavior
File (3431)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Log | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\$Recycle.Bin\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\BCD.LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\BCD.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\BCD.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\BOOTSTAT.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\cs-CZ\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\cs-CZ\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\da-DK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\da-DK\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\de-DE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\de-DE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\el-GR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\el-GR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\en-US\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\en-US\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\es-ES\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\es-ES\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\fi-FI\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\fi-FI\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\Fonts\chs_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\Fonts\cht_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\Fonts\jpn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\Fonts\kor_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\Fonts\wgl4_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\Fonts\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\fr-FR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\fr-FR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\hu-HU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\hu-HU\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\it-IT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\it-IT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ja-JP\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\ja-JP\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ko-KR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\ko-KR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\nb-NO\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\nb-NO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\nl-NL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\nl-NL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pl-PL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\pl-PL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pt-BR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\pt-BR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pt-PT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\pt-PT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ru-RU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\ru-RU\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\sv-SE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\sv-SE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\tr-TR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\tr-TR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-CN\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\zh-CN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-HK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\zh-HK\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-TW\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Boot\zh-TW\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\BOOTSECT.BAK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Config.Msi\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\hiberfil.sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPrWW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPrWW2.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\OWOW32WW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjPrrWW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\OWOW32WW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\pagefile.sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\PerfLogs\Admin\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\DESIGNER\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\DW\DBGHELP.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\DW\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\EEINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\eqnedt32.exe.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EURO\MSOEURO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EURO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Filters\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.WPG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Help\ITIRCL55.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Help\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSInfo\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ALRTINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\MSSOAPR3.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\OARPMANR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEES.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ATLCONV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\IACOM2.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\LICLUA.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOICONS.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSSOAP30.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUAUTH.CAB | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUOPTIN.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ODBCMON.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OSETUPUI.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OSETUP.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\ProjectMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\ProPlusrWW.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\VisioMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\VisiorWW.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OFFREL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OPHPROXY.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OPTINPS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\PJ11OD11.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\PJRESC.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\PRJRES.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RICHED20.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\SERCONV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\WISC30.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_EN.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_ES.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_FR.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\STINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\STINTL.DLL.IDX_DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FBIBLIO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FDATE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FPERSON.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FPLACE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FSTOCK.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\IETAG.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\IMCONTACT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MOFL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Source Engine\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\MSCONV97.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT532.CNV | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT632.CNV | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\THEMES.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\PREVIEW.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\THMBNAIL.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.INF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\MSB1ARFR.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\MSB1FRAR.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1AR.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CORE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1STAR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\WTSP61MS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Triedit\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\FM20.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBCN6.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBE7INTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBENDF98.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBHW6.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBUI6.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VC\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VGX\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\BIGFONT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\CHINESET.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\EXTFONT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\GBCBIG.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\IC-TXT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\ICAD.FMP | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGDTXT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGTXT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTGTXT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTMTXT.SHX | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\MSOSVINT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\FPWEC.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Services\verisign.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\Services\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\adojavas.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\adovbs.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado20.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado21.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado25.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado26.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado27.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msado28.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msadomd28.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\msadox28.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\en-US\wab32res.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\adcjavas.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\adcvbs.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\handler.reg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\handsafe.reg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\MSMAPI\1033\MSMAPI32.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\MSMAPI\1033\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\MSMAPI\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\sqloledb.rll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\audiodepthconverter.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\bod_r.TTF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\directshowtap.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\en-US\HOW_TO_RETURN_FILES.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Eurosti.TTF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\fieldswitch.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\offset.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\rtstreamsink.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\rtstreamsource.ax | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\SecretST.TTF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\Common.fxh | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DissolveAnother.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DissolveNoise.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE |
|
1 | |
| Get Info | C:\Program Files\Microsoft Office\Office14\STARTUP\HOW_TO_RETURN_FILES.txt | type = file_type |
|
1 | |
| Move | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.mdk4y | source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml |
|
1 | |
|
For performance reasons, the remaining 2415 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process (13)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x960, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa28, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa50, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa78, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xaa0, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xac8, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xaf0, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb18, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb40, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xba8, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbdc, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x704, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x83c, show_window = SW_HIDE |
|
1 |
Module (94)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x0 |
|
2 | |
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x74d80000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x0 |
|
4 | |
| Load | kernel32 | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x75a20000 |
|
2 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x0 |
|
2 | |
| Load | USER32.DLL | base_address = 0x756f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Handle | c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe | base_address = 0x13a0000 |
|
4 | |
| Get Filename | api-ms-win-core-localization-l1-2-1 | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\whzqnu.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75a34f2b |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75a34208 |
|
3 | |
| Get Address | c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll | function = InitializeCriticalSectionEx, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75a31252 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ab47f1 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75a3359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75a34d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitOnceExecuteOnce, address_out = 0x75a4d627 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75ab410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreW, address_out = 0x75a4ca5a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75ab4195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75a4ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7789441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x778bc50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x778bc381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75a4f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x778a05d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x778bca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77870b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7792fde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x778c1e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75aacd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75a4eee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleEx, address_out = 0x75a4c78f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandle, address_out = 0x75a5cbfc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimePreciseAsFileTime, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77888456 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x778f7de4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x778b409d |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x75ab4b32 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x77888456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x778829f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TryAcquireSRWLockExclusive, address_out = 0x77894892 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x778829ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableSRW, address_out = 0x75ab4b74 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWork, address_out = 0x75a4ee45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SubmitThreadpoolWork, address_out = 0x778c8491 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWork, address_out = 0x778bd8e2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ab46b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ab4751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AreFileApisANSI, address_out = 0x75ab40d1 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextW, address_out = 0x75b3df14 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenRandom, address_out = 0x75b3dfc8 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x75b3e124 |
|
1 | |
| Get Address | c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe | function = _OPENSSL_isservice, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x75712320 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorInfo, address_out = 0x7576812f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetQueueStatus, address_out = 0x75713924 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x75a5735f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseToolhelp32Snapshot, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32First, address_out = 0x75ab5763 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32Next, address_out = 0x75ab594e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListFirst, address_out = 0x75ab5621 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Heap32ListNext, address_out = 0x75ab56cb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32First, address_out = 0x75a58ae7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32Next, address_out = 0x75a588a4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32First, address_out = 0x75ab5b93 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Thread32Next, address_out = 0x75ab5c3f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32First, address_out = 0x75ab5cd9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Module32Next, address_out = 0x75ab5dc2 |
|
1 |
System (397)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2019-01-14 07:50:27 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118295 |
|
1 | |
| Get Time | type = Ticks, time = 118311 |
|
8 | |
| Get Time | type = Ticks, time = 118326 |
|
8 | |
| Get Time | type = Ticks, time = 118342 |
|
8 | |
| Get Time | type = Ticks, time = 118357 |
|
8 | |
| Get Time | type = Ticks, time = 118373 |
|
8 | |
| Get Time | type = Ticks, time = 118389 |
|
8 | |
| Get Time | type = Ticks, time = 118404 |
|
5 | |
| Get Time | type = Ticks, time = 118420 |
|
10 | |
| Get Time | type = Ticks, time = 118435 |
|
8 | |
| Get Time | type = Ticks, time = 118451 |
|
8 | |
| Get Time | type = Ticks, time = 118467 |
|
9 | |
| Get Time | type = Ticks, time = 118482 |
|
6 | |
| Get Time | type = Ticks, time = 118498 |
|
16 | |
| Get Time | type = Ticks, time = 118513 |
|
13 | |
| Get Time | type = Ticks, time = 118529 |
|
12 | |
| Get Time | type = Ticks, time = 118545 |
|
13 | |
| Get Time | type = Ticks, time = 118560 |
|
16 | |
| Get Time | type = Ticks, time = 118576 |
|
15 | |
| Get Time | type = Ticks, time = 118591 |
|
16 | |
| Get Time | type = Ticks, time = 118607 |
|
16 | |
| Get Time | type = Ticks, time = 118623 |
|
16 | |
| Get Time | type = Ticks, time = 118638 |
|
16 | |
| Get Time | type = Ticks, time = 118654 |
|
16 | |
| Get Time | type = Ticks, time = 118669 |
|
20 | |
| Get Time | type = Ticks, time = 118685 |
|
22 | |
| Get Time | type = Ticks, time = 118701 |
|
22 | |
| Get Time | type = Ticks, time = 118716 |
|
22 | |
| Get Time | type = Ticks, time = 118732 |
|
20 | |
| Get Time | type = Ticks, time = 118747 |
|
19 | |
| Get Time | type = Ticks, time = 118763 |
|
10 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
2 |
Process #2: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET stop MSSQLSERVER /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
964
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001dc0000 | 0x01dc0000 | 0x02102fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02110000 | 0x023defff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a120000 | 0x4a16bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a120000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:37 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 103101 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: net.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET stop MSSQLSERVER /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9f8 |
| Parent PID | 0x960 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9FC
0x
0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00d20000 | 0x00d37fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x751e0000 | 0x751e6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751f0000 | 0x7520bfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #4: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSSQLSERVER /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa20 |
| Parent PID | 0x9f8 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00480000 | 0x004a9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x75130000 | 0x75131fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75140000 | 0x75157fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75160000 | 0x75171fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75180000 | 0x75190fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x751a0000 | 0x751c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x480000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:38 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104286 |
|
1 |
Process #5: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET stop MSSQL$SQLEXPRESS /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa28 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00390000 | 0x003f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01fa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fb0000 | 0x0227efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49ea0000 | 0x49eebfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xa40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49ea0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104645 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #6: net.exe
0
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET stop MSSQL$SQLEXPRESS /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xa28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x000d0000 | 0x000e7fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751e0000 | 0x751fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75220000 | 0x75226fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #7: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa48 |
| Parent PID | 0xa40 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x00236fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00c70000 | 0x00c99fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75130000 | 0x75147fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75150000 | 0x75161fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75170000 | 0x75180fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x75190000 | 0x751b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751c0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x751d0000 | 0x751d1fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x751d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0xc70000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104785 |
|
1 |
Process #8: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP acrsch2svc /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x00316fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01f82fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4aa20000 | 0x4aa6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xa68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4aa20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104941 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #9: net.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP acrsch2svc /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0xa50 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x009f0000 | 0x00a07fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x751e0000 | 0x751e6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751f0000 | 0x7520bfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #10: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP acrsch2svc /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xa68 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x007f0000 | 0x00819fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x75130000 | 0x75131fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75140000 | 0x75157fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75160000 | 0x75171fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75180000 | 0x75190fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x751a0000 | 0x751c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x7f0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105113 |
|
1 |
Process #11: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP acronisagent /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa78 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c80000 | 0x01c80000 | 0x01fc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fd0000 | 0x0229efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a750000 | 0x4a79bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xa90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a750000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105285 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #12: net.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP acronisagent /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa90 |
| Parent PID | 0xa78 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00630000 | 0x00647fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751e0000 | 0x751fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75220000 | 0x75226fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #13: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP acronisagent /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa98 |
| Parent PID | 0xa90 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00ff0000 | 0x01019fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75130000 | 0x75147fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75150000 | 0x75161fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75170000 | 0x75180fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x75190000 | 0x751b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751c0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x751d0000 | 0x751d1fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x751d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0xff0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105456 |
|
1 |
Process #14: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP arsm /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa0 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fe0000 | 0x022aefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a800000 | 0x4a84bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xab8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a800000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105581 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #15: net.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP arsm /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab8 |
| Parent PID | 0xaa0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ABC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00490000 | 0x004a7fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x751e0000 | 0x751e6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751f0000 | 0x7520bfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #16: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP arsm /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac0 |
| Parent PID | 0xab8 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00ff0000 | 0x01019fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x75130000 | 0x75131fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75140000 | 0x75157fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75160000 | 0x75171fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75180000 | 0x75190fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x751a0000 | 0x751c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0xff0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105721 |
|
1 |
Process #17: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP FirebirdServerDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ACC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x02162fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02170000 | 0x0243efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ac90000 | 0x4acdbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xae0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ac90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105846 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #18: net.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP FirebirdServerDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0xac8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00230000 | 0x00247fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751e0000 | 0x751fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75220000 | 0x75226fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #19: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP FirebirdServerDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae8 |
| Parent PID | 0xae0 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x004c0000 | 0x004e9fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75130000 | 0x75147fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75150000 | 0x75161fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75170000 | 0x75180fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x75190000 | 0x751b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751c0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x751d0000 | 0x751d1fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x751d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x4c0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106002 |
|
1 |
Process #20: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP FirebirdGuardianDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf0 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x006b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c50000 | 0x01c50000 | 0x01f92fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fa0000 | 0x0226efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49d60000 | 0x49dabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xb08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49d60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106189 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #21: net.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP FirebirdGuardianDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb08 |
| Parent PID | 0xaf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00480000 | 0x00497fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x751e0000 | 0x751e6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751f0000 | 0x7520bfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #22: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP FirebirdGuardianDefaultInstance /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb10 |
| Parent PID | 0xb08 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00e90000 | 0x00eb9fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x75130000 | 0x75131fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75140000 | 0x75157fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75160000 | 0x75171fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75180000 | 0x75190fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x751a0000 | 0x751c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75210000 | 0x7521efff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75220000 | 0x75238fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75240000 | 0x7524efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0xe90000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106345 |
|
1 |
Process #23: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c NET STOP MuzzleServer /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x02042fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a610000 | 0x4a65bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xb30, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a610000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:41 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106533 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #24: net.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | NET STOP MuzzleServer /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb30 |
| Parent PID | 0xb18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x00040000 | 0x00057fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x00060000 | 0x00060fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00090000 | 0x000f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751e0000 | 0x751fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75220000 | 0x75226fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #25: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 STOP MuzzleServer /Y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0xb30 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x00346fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x00a20000 | 0x00a49fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x75130000 | 0x75147fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x75150000 | 0x75161fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x75170000 | 0x75180fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x75190000 | 0x751b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x751c0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll | 0x751d0000 | 0x751d1fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x75200000 | 0x75218fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x75230000 | 0x7523efff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x75240000 | 0x7524cfff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x75250000 | 0x7525efff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x751d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0xa20000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:41 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106704 |
|
1 |
Process #26: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c taskkill /im 1cv7s.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb40 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x020f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02100000 | 0x023cefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a2c0000 | 0x4a30bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a2c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:41 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106891 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #27: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /im 1cv7s.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xb40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B5C
0x
B60
0x
B64
0x
B68
0x
B6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x006a0000 | 0x0075ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| taskkill.exe | 0x00b40000 | 0x00b55fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x74eb0000 | 0x74ec6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x74ed0000 | 0x74ee7fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x74ef0000 | 0x74f85fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x74f90000 | 0x74f9efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74fa0000 | 0x74fadfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74fb0000 | 0x74feafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74ff0000 | 0x75005fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75010000 | 0x75038fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x75040000 | 0x7509bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x750a0000 | 0x750a9fff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x750b0000 | 0x7519afff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x751a0000 | 0x751aefff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x751b0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x751e0000 | 0x751f0fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75200000 | 0x7520cfff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x75210000 | 0x75244fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75250000 | 0x75257fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #30: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c taskkill /im 1cv8s.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba8 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00737fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x01ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001cd0000 | 0x01cd0000 | 0x02012fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02020000 | 0x022eefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4aa80000 | 0x4aacbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4aa80000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108405 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #31: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /im 1cv8s.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0xba8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC4
0x
BC8
0x
BCC
0x
BD0
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x00760000 | 0x0081ffff | Memory Mapped File | rw |
|
|
|
- |
| taskkill.exe | 0x00830000 | 0x00845fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d20000 | 0x01d20000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01fb0000 | 0x0227efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x0241ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0249ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x74ea0000 | 0x74eb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x74ec0000 | 0x74ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x74ee0000 | 0x74f75fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74f80000 | 0x74fbafff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x74fc0000 | 0x750aafff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x750c0000 | 0x750cefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x750d0000 | 0x750ddfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75100000 | 0x75128fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x75130000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x75190000 | 0x75199fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x751a0000 | 0x751b8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x751c0000 | 0x751d0fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x751e0000 | 0x751eefff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x751f0000 | 0x751f8fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x75200000 | 0x75234fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75240000 | 0x75247fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #32: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c taskkill /im 1cv7.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00797fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00920fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x02072fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02080000 | 0x0234efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a410000 | 0x4a45bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a410000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:43 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108904 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #33: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /im 1cv7.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
0x
BFC
0x
6BC
0x
6C8
0x
73C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | rw |
|
|
|
- |
| taskkill.exe.mui | 0x00140000 | 0x00143fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00377fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00750000 | 0x0080ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00bb0000 | 0x00e7efff | Memory Mapped File | r |
|
|
|
- |
| taskkill.exe | 0x00ed0000 | 0x00ee5fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x022effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x74eb0000 | 0x74ec6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x74ed0000 | 0x74ee7fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x74ef0000 | 0x74f85fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x74f90000 | 0x74f9efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74fa0000 | 0x74fadfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74fb0000 | 0x74feafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74ff0000 | 0x75005fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75010000 | 0x75038fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x75040000 | 0x7509bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x750a0000 | 0x750a9fff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x750b0000 | 0x7519afff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x751a0000 | 0x751aefff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x751b0000 | 0x751c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x751d0000 | 0x751d8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x751e0000 | 0x751f0fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75200000 | 0x7520cfff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x75210000 | 0x75244fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75250000 | 0x75257fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75260000 | 0x75268fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #34: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c taskkill /im 1cv8.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x704 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
710
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x0203ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002040000 | 0x02040000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02390000 | 0x0265efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a270000 | 0x4a2bbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75260000 | 0x75266fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x80c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a270000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:44 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109419 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #35: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /im 1cv8.exe /T /F |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x80c |
| Parent PID | 0x704 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
808
0x
804
0x
274
0x
4E4
0x
4F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| taskkill.exe.mui | 0x00130000 | 0x00133fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x001a0000 | 0x0025ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| taskkill.exe | 0x00870000 | 0x00885fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0217ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02180000 | 0x0244efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x024affff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x74ea0000 | 0x74eb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x74ec0000 | 0x74ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x74ee0000 | 0x74f75fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74f80000 | 0x74fbafff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x74fc0000 | 0x750aafff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x750c0000 | 0x750cefff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x750d0000 | 0x750ddfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750e0000 | 0x750f5fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x75100000 | 0x75128fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x75130000 | 0x7518bfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x75190000 | 0x75199fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x751a0000 | 0x751b8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x751c0000 | 0x751d0fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x751e0000 | 0x751eefff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x751f0000 | 0x751f8fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x75200000 | 0x75234fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75240000 | 0x75247fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75250000 | 0x7525cfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75270000 | 0x75278fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Process #36: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c wmic shadowcopy delete |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:58, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x83c |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
840
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001da0000 | 0x01da0000 | 0x020e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x020f0000 | 0x023befff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a830000 | 0x4a87bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0x818, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a830000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:44 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109871 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 80041014 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #37: wmic.exe
22
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | wmic shadowcopy delete |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:58, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0x83c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
814
0x
780
0x
870
0x
7A8
0x
878
0x
87C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wmic.exe.mui | 0x00080000 | 0x0008ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x00180000 | 0x00180fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | - |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00280000 | 0x00280fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x002e0000 | 0x002effff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x002f0000 | 0x002f7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00300000 | 0x0030ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00350000 | 0x0038bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x0036cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| wmiutils.dll.mui | 0x00360000 | 0x00364fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b30000 | 0x00dfefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00e00000 | 0x00ebffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | rw |
|
|
|
- |
| wmic.exe | 0x00fc0000 | 0x01022fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x0242ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002530000 | 0x02530000 | 0x0260efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0265ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x02a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02eeffff | Private Memory | rw |
|
|
|
- |
| wmiutils.dll | 0x74a70000 | 0x74a86fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x74aa0000 | 0x74ab7fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x74ac0000 | 0x74b55fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x74b60000 | 0x74b6efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr90.dll | 0x74b70000 | 0x74c12fff | Memory Mapped File | rwx |
|
|
|
- |
| msoxmlmf.dll | 0x74c20000 | 0x74c2cfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74c30000 | 0x74c6afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74c70000 | 0x74c85fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74c90000 | 0x74cd3fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74d00000 | 0x74d7ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74e40000 | 0x74e4dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74e50000 | 0x74e70fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74e80000 | 0x74e8afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74e90000 | 0x7502dfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml3.dll | 0x75030000 | 0x75162fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x75170000 | 0x751cbfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x751d0000 | 0x751d9fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x751e0000 | 0x751e6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x751f0000 | 0x7520bfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75210000 | 0x75217fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75220000 | 0x7522cfff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x75230000 | 0x75264fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x756a0000 | 0x756e4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x757f0000 | 0x759eafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75be0000 | 0x75cd4fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76190000 | 0x762acfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x762e0000 | 0x76415fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x764c0000 | 0x764f4fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76670000 | 0x772b9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772c0000 | 0x772cbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77820000 | 0x77825fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (7)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | EB87E1BD-3233-11D2-AEC9-00C04FB68820 | EB87E1BC-3233-11D2-AEC9-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\XDUWTFONO\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_ShadowCopy |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\kernel32.dll | base_address = 0x75a20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0xfc0000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = XDUWTFONO |
|
1 | |
| Get Time | type = System Time, time = 2019-01-14 07:50:44 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 110121 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-14 18:50:46 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Process #40: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Acronis VSS Provider" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x69c |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00980fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x01d8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d90000 | 0x01d90000 | 0x020d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x020e0000 | 0x023aefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49f60000 | 0x49fabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75210000 | 0x75216fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x7ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49f60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:49 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114832 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #41: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Acronis VSS Provider" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7ec |
| Parent PID | 0x69c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7E4
0x
57C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00130000 | 0x001effff | Memory Mapped File | rw |
|
|
|
- |
| sc.exe.mui | 0x001f0000 | 0x001fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00ed0000 | 0x00edbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xed0000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:50 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115877 |
|
1 |
Process #42: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Enterprise Client Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x770 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
774
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bc0000 | 0x01bc0000 | 0x01f02fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f10000 | 0x021defff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a0c0000 | 0x4a10bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x4a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a0c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116470 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #43: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Enterprise Client Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4a0 |
| Parent PID | 0x770 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
248
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00130000 | 0x0013ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x001f0000 | 0x002affff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00f40000 | 0x00f4bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xf40000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116548 |
|
1 |
Process #44: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos Agent" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x49c |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x02232fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02240000 | 0x0250efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a4a0000 | 0x4a4ebfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75210000 | 0x75216fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x7c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a4a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116688 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #45: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos Agent" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7c4 |
| Parent PID | 0x49c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C4
0x
568
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| sc.exe | 0x00060000 | 0x0006bfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00080000 | 0x000e6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00180000 | 0x0018ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00440000 | 0x004fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x60000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116766 |
|
1 |
Process #46: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos AutoUpdate Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7e0 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
478
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x00236fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01f82fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a390000 | 0x4a3dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x7dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a390000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116907 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #47: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos AutoUpdate Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7dc |
| Parent PID | 0x7e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
890
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00080000 | 0x0008ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x002d0000 | 0x002dbfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00470000 | 0x0052ffff | Memory Mapped File | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x2d0000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116969 |
|
1 |
Process #48: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos Clean Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7cc |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001de0000 | 0x01de0000 | 0x02122fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02130000 | 0x023fefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49e60000 | 0x49eabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75210000 | 0x75216fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x824, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49e60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117109 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #49: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos Clean Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x824 |
| Parent PID | 0x7cc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
828
0x
82C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00130000 | 0x0013ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00210000 | 0x002cffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00d60000 | 0x00d6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xd60000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117187 |
|
1 |
Process #50: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos Device Control Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x834 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
844
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x01b9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ba0000 | 0x01ba0000 | 0x01ee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ef0000 | 0x021befff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49dd0000 | 0x49e1bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x5b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49dd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117375 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #51: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos Device Control Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b0 |
| Parent PID | 0x834 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5B8
0x
8A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| sc.exe | 0x000e0000 | 0x000ebfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00100000 | 0x0010ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00410000 | 0x004cffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe0000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117453 |
|
1 |
Process #52: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos File Scanner Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x540 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
688
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x01f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f40000 | 0x01f40000 | 0x02282fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02290000 | 0x0255efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ac20000 | 0x4ac6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75210000 | 0x75216fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x924, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ac20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117593 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #53: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos File Scanner Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x924 |
| Parent PID | 0x540 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8C4
0x
8B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00130000 | 0x0013ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00250000 | 0x0030ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00a00000 | 0x00a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xa00000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117640 |
|
1 |
Process #54: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos Health Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:03, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8cc |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x01f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x022a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x022b0000 | 0x0257efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4aca0000 | 0x4acebfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x8d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4aca0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117780 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #55: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos Health Service" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d8 |
| Parent PID | 0x8cc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
900
0x
8DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| sc.exe | 0x000f0000 | 0x000fbfff | Memory Mapped File | rwx |
|
|
|
- |
| sc.exe.mui | 0x00100000 | 0x0010ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00400000 | 0x004bffff | Memory Mapped File | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xf0000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117843 |
|
1 |
Process #56: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Agent" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a8 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00417fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bd0000 | 0x01bd0000 | 0x01f12fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f20000 | 0x021eefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x49e60000 | 0x49eabfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75210000 | 0x75216fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x884, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49e60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117967 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #57: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos MCS Agent" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x884 |
| Parent PID | 0x8a8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
894
0x
8A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x000f0000 | 0x001affff | Memory Mapped File | rw |
|
|
|
- |
| sc.exe.mui | 0x001b0000 | 0x001bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| sc.exe | 0x00780000 | 0x0078bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0x780000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118014 |
|
1 |
Process #58: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Client" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x950 |
| Parent PID | 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\whzqnu.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x01d6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x020b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x020c0000 | 0x0238efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a560000 | 0x4a5abfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 50, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x910, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a560000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118139 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #59: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc stop "Sophos MCS Client" /y |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x910 |
| Parent PID | 0x950 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
914
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| sc.exe.mui | 0x00100000 | 0x0010ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00300000 | 0x00366fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x003e0000 | 0x0049ffff | Memory Mapped File | rw |
|
|
|
- |
| sc.exe | 0x00f30000 | 0x00f3bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xf30000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-14 07:50:52 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 118201 |
|
1 |
