263cf261a45e5d9cf420e9b5ccda364d3765a439623cbd7be64daf8cc57d7869 (SHA256)
Paquete_id345634563.PDF.js
JScript
Created at 2018-05-02 13:26:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: cscript.exe
107
5
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\cscript.exe |
| Command Line | "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:39, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0x5dc (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
EC0
0x
EC4
0x
EC8
0x
ED0
0x
ED8
0x
EDC
0x
EE0
0x
F8C
0x
FD0
0x
FE0
0x
FE8
0x
C0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000092e5460000 | 0x92e5460000 | 0x92e547ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e5460000 | 0x92e5460000 | 0x92e546ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e5470000 | 0x92e5470000 | 0x92e5476fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e5480000 | 0x92e5480000 | 0x92e5493fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e54a0000 | 0x92e54a0000 | 0x92e559ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e55a0000 | 0x92e55a0000 | 0x92e55a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e55b0000 | 0x92e55b0000 | 0x92e55b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e55c0000 | 0x92e55c0000 | 0x92e55c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e55d0000 | 0x92e55d0000 | 0x92e55d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe.mui | 0x92e55e0000 | 0x92e55e2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000092e55f0000 | 0x92e55f0000 | 0x92e56effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x92e56f0000 | 0x92e57adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000092e57b0000 | 0x92e57b0000 | 0x92e58affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e58b0000 | 0x92e58b0000 | 0x92e58b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e58c0000 | 0x92e58c0000 | 0x92e58c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e58d0000 | 0x92e58d0000 | 0x92e58effff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x92e58d0000 | 0x92e58d8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000092e58e0000 | 0x92e58e0000 | 0x92e58effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e58f0000 | 0x92e58f0000 | 0x92e58f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e58f0000 | 0x92e58f0000 | 0x92e58f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e5900000 | 0x92e5900000 | 0x92e5900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e5910000 | 0x92e5910000 | 0x92e5910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e5920000 | 0x92e5920000 | 0x92e5920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e5920000 | 0x92e5920000 | 0x92e592ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e5930000 | 0x92e5930000 | 0x92e593ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e5940000 | 0x92e5940000 | 0x92e5ac7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e5ad0000 | 0x92e5ad0000 | 0x92e5c50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000092e5c60000 | 0x92e5c60000 | 0x92e705ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| rpcss.dll | 0x92e7060000 | 0x92e7135fff | Memory Mapped File | Readable |
|
|
|
- |
| sortdefault.nls | 0x92e7060000 | 0x92e7396fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000092e73a0000 | 0x92e73a0000 | 0x92e749ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e74a0000 | 0x92e74a0000 | 0x92e7557fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e7560000 | 0x92e7560000 | 0x92e765ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e7660000 | 0x92e7660000 | 0x92e865ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7660000 | 0x92e7660000 | 0x92e775ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7760000 | 0x92e7760000 | 0x92e77dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7760000 | 0x92e7760000 | 0x92e7766fff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x92e7770000 | 0x92e7772fff | Memory Mapped File | Readable |
|
|
|
- |
| wshom.ocx | 0x92e7770000 | 0x92e7782fff | Memory Mapped File | Readable |
|
|
|
- |
| tzres.dll.mui | 0x92e7780000 | 0x92e7788fff | Memory Mapped File | Readable |
|
|
|
- |
| scrrun.dll | 0x92e7790000 | 0x92e779ffff | Memory Mapped File | Readable |
|
|
|
- |
| msxml3r.dll | 0x92e77a0000 | 0x92e77a0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000092e77b0000 | 0x92e77b0000 | 0x92e77b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| counters.dat | 0x92e77c0000 | 0x92e77c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000092e77d0000 | 0x92e77d0000 | 0x92e77dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e77e0000 | 0x92e77e0000 | 0x92e78dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e78e0000 | 0x92e78e0000 | 0x92e79dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e79e0000 | 0x92e79e0000 | 0x92e7adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7ae0000 | 0x92e7ae0000 | 0x92e7bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7be0000 | 0x92e7be0000 | 0x92e7d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7be0000 | 0x92e7be0000 | 0x92e7d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7be0000 | 0x92e7be0000 | 0x92e7ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x92e7be0000 | 0x92e7cbefff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000092e7cc0000 | 0x92e7cc0000 | 0x92e7cc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e7cd0000 | 0x92e7cd0000 | 0x92e7cd1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e7cd0000 | 0x92e7cd0000 | 0x92e7cdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e7ce0000 | 0x92e7ce0000 | 0x92e7ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e7cf0000 | 0x92e7cf0000 | 0x92e7cf1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| mswsock.dll.mui | 0x92e7d00000 | 0x92e7d02fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000092e7d10000 | 0x92e7d10000 | 0x92e7d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e7d20000 | 0x92e7d20000 | 0x92e7d21fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000092e7d30000 | 0x92e7d30000 | 0x92e7d30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7d60000 | 0x92e7d60000 | 0x92e7d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7d70000 | 0x92e7d70000 | 0x92e7f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7d70000 | 0x92e7d70000 | 0x92e7efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7f50000 | 0x92e7f50000 | 0x92e7f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000092e7f60000 | 0x92e7f60000 | 0x92e835ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000092e8660000 | 0x92e8660000 | 0x92e8660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007df5ff080000 | 0x7df5ff080000 | 0x7ff5ff07ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7ebc5c000 | 0x7ff7ebc5c000 | 0x7ff7ebc5dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebc5e000 | 0x7ff7ebc5e000 | 0x7ff7ebc5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7ebc60000 | 0x7ff7ebc60000 | 0x7ff7ebd5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7ebd60000 | 0x7ff7ebd60000 | 0x7ff7ebd82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7ebd83000 | 0x7ff7ebd83000 | 0x7ff7ebd84fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd85000 | 0x7ff7ebd85000 | 0x7ff7ebd86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd87000 | 0x7ff7ebd87000 | 0x7ff7ebd88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd89000 | 0x7ff7ebd89000 | 0x7ff7ebd8afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd8b000 | 0x7ff7ebd8b000 | 0x7ff7ebd8cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd8d000 | 0x7ff7ebd8d000 | 0x7ff7ebd8dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7ebd8e000 | 0x7ff7ebd8e000 | 0x7ff7ebd8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cscript.exe | 0x7ff7ecad0000 | 0x7ff7ecafefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msdart.dll | 0x7ffbeb7d0000 | 0x7ffbeb7f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msado15.dll | 0x7ffbeb800000 | 0x7ffbeb936fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x7ffbebc10000 | 0x7ffbebe46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrrun.dll | 0x7ffbec1c0000 | 0x7ffbec1f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshom.ocx | 0x7ffbec200000 | 0x7ffbec228fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffbec230000 | 0x7ffbec2d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scrobj.dll | 0x7ffbed3a0000 | 0x7ffbed3e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshext.dll | 0x7ffbed3f0000 | 0x7ffbed40cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpoav.dll | 0x7ffbed410000 | 0x7ffbed42cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| jscript.dll | 0x7ffbed430000 | 0x7ffbed4fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mskeyprotect.dll | 0x7ffbeda10000 | 0x7ffbeda23fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mlang.dll | 0x7ffbedf30000 | 0x7ffbedf6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldp.dll | 0x7ffbf39b0000 | 0x7ffbf39bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x7ffbf5c50000 | 0x7ffbf5ef6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msisip.dll | 0x7ffbf69c0000 | 0x7ffbf69cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| amsi.dll | 0x7ffbf69d0000 | 0x7ffbf69dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x7ffbf6fc0000 | 0x7ffbf7156fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffbf9250000 | 0x7ffbf9264fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x7ffbf9380000 | 0x7ffbf96f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x7ffbf9f50000 | 0x7ffbf9f59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffbfb2c0000 | 0x7ffbfb2c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ffbfb2d0000 | 0x7ffbfb543fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winhttp.dll | 0x7ffbfbb40000 | 0x7ffbfbc15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x7ffbfced0000 | 0x7ffbfcf37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ffbfe0d0000 | 0x7ffbfe0dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ffbfe0f0000 | 0x7ffbfe127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ffbfe9a0000 | 0x7ffbfe9c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffbff170000 | 0x7ffbff205fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x7ffbffad0000 | 0x7ffbffaebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| schannel.dll | 0x7ffbffc40000 | 0x7ffbffcb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ffbfff10000 | 0x7ffbfffb7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffc00110000 | 0x7ffc0016cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntasn1.dll | 0x7ffc00370000 | 0x7ffc003a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc004c0000 | 0x7ffc004ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ffc00760000 | 0x7ffc007f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffc008a0000 | 0x7ffc008e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc008f0000 | 0x7ffc00902fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc00920000 | 0x7ffc00930fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x7ffc00940000 | 0x7ffc00f67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc00fc0000 | 0x7ffc01072fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wintrust.dll | 0x7ffc01080000 | 0x7ffc010d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc01190000 | 0x7ffc01350fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffc01540000 | 0x7ffc015e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc015f0000 | 0x7ffc01625fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffc02050000 | 0x7ffc02057fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc02160000 | 0x7ffc022bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc022c0000 | 0x7ffc037e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffc03980000 | 0x7ffc039e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc03a50000 | 0x7ffc03aa0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| coml2.dll | 0x7ffc03b40000 | 0x7ffc03baefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 30 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | 3.88 MB |
MD5:
f612bccf909dbc5bbf1779d44a9ca045
SHA1: 738f4a49580cf914a37bdd2ad5e264011d3ddd5f SHA256: 9407e4ce0df76e62f0ad9439f3a091909d6c540a83a19dfe6ee5e3990ad6bde9 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat | 0.12 KB |
MD5:
0fc07622856a4f02ec32f3b8cdc7d79a
SHA1: 69227fbe52d3fbfa3af508fee363698fd2a3613c SHA256: 0ac6eba5d515f5a55c7d5bd712cb191aac9bbef780cac77f3a69e357d8c3d746 |
|
|
Host Behavior
COM (10)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Scripting.FileSystemObject | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | MSXML2.XMLHTTP | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | ADODB.Stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | Wscript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | MSXML2.XMLHTTP | IDispatch | method_name = Open |
|
1 |
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | - |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS | type = size |
|
1 | |
| Get Info | - | type = size |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | - | size = 2190, size_out = 2190 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 110 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | size = 0 |
|
1 |
Registry (24)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | - |
|
3 | |
| Open Key | HKEY_CLASSES_ROOT\.JS | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Enabled, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = LogSecuritySuccesses, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = IgnoreUserSettings, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = TrustPolicy, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = UseWINSAFER, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = Timeout, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings | value_name = DisplayLogo, data = 49, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\.JS | data = JSFile, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\JSFile\ScriptEngine | data = JScript, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | os_pid = 0xcd0, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
Module (31)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc03dc0000 |
|
2 | |
| Load | amsi.dll | base_address = 0x7ffbf69d0000 |
|
1 | |
| Load | WLDP.DLL | base_address = 0x7ffbf39b0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7ffc01640000 |
|
1 | |
| Get Handle | c:\windows\system32\cscript.exe | base_address = 0x7ff7ecad0000 |
|
3 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffc03dc0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7ffc01360000 |
|
1 | |
| Get Filename | c:\windows\system32\cscript.exe | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffc03ddd550 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x7ffc03de0f40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x7ffc013cd460 |
|
1 | |
| Get Address | c:\windows\system32\amsi.dll | function = AmsiInitialize, address_out = 0x7ffbf69d2260 |
|
1 | |
| Get Address | c:\windows\system32\amsi.dll | function = AmsiScanString, address_out = 0x7ffbf69d26b0 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x7ffc013ba1b0 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x7ffc0141e790 |
|
1 | |
| Get Address | c:\windows\system32\wldp.dll | function = WldpGetLockdownPolicy, address_out = 0x7ffbf39b1010 |
|
1 | |
| Get Address | c:\windows\system32\wldp.dll | function = WldpIsClassInApprovedList, address_out = 0x7ffbf39b3820 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x7ffc0164a7d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x7ffc01643ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x7ffc01656cc0 |
|
1 | |
| Get Address | c:\windows\system32\cscript.exe | function = 1, address_out = 0x7ff7ecad1350 |
|
2 | |
| Get Address | c:\windows\system32\amsi.dll | function = AmsiUninitialize, address_out = 0x7ffbf69d2490 |
|
1 | |
| Create Mapping | C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS | filename = C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS, protection = PAGE_READONLY, maximum_size = 2190 |
|
1 | |
| Map | C:\Users\CIIHMN~1\Desktop\PAQUET~1.JS | process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WSH-Timer, wndproc_parameter = 630916865008 |
|
1 |
System (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
2 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
2 | |
| Get Time | type = Ticks, time = 126781 |
|
2 | |
| Get Time | type = Ticks, time = 167031 |
|
2 | |
| Get Time | type = Ticks, time = 167546 |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = System Directory |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = JS_PROFILER |
|
1 | |
| Get Environment String | name = USERNAME, result_out = CIiHmnxMn6Ps |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 349 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | www.wkc.co.id |
HTTP Session #1
| Information | Value |
|---|---|
| Used COM interface | MSXML2.XMLHTTP |
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | www.wkc.co.id |
| Server Port | 443 |
| Data Sent | 349 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = https, server_name = www.wkc.co.id, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /heritage58.com/js/lib/inode.jpg |
|
1 | |
| Send HTTP Request | url = https://www.wkc.co.id/heritage58.com/js/lib/inode.jpg |
|
1 | |
| Read Response | size_out = 0 |
|
1 |
Process #3: 86976.exe
555
5
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe |
| Command Line | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcd0 |
| Parent PID | 0xe6c (c:\windows\system32\cscript.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D04
0x
CDC
0x
CA0
0x
C9C
0x
C88
0x
C94
0x
C90
0x
C8C
0x
C54
0x
C84
0x
C48
0x
B54
0x
C3C
0x
C40
0x
D6C
0x
D78
0x
C44
0x
CA4
0x
438
0x
B0
0x
CC0
0x
CBC
0x
CAC
0x
CB4
0x
CB8
0x
CC8
0x
CFC
0x
CEC
0x
CF4
0x
CE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00330000 | 0x00359fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003e0000 | 0x003e0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 86976.exe | 0x00400000 | 0x01e5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x01e60000 | 0x01f1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x0201ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x021a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x021effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x0222ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0226ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002280000 | 0x02280000 | 0x02400fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002410000 | 0x02410000 | 0x0380ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003810000 | 0x03810000 | 0x0390ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003910000 | 0x03910000 | 0x03a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a10000 | 0x03a10000 | 0x03b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x03c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c10000 | 0x03c10000 | 0x03d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003d10000 | 0x03d10000 | 0x03d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e50000 | 0x03e50000 | 0x03e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e90000 | 0x03e90000 | 0x03f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f90000 | 0x03f90000 | 0x03fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003fd0000 | 0x03fd0000 | 0x040cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040d0000 | 0x040d0000 | 0x0410ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004110000 | 0x04110000 | 0x0420ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004210000 | 0x04210000 | 0x0424ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004250000 | 0x04250000 | 0x0434ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x0438ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x0448ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x044cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0460ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0470ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0474ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0484ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0498ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x049cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x0500ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0510ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0514ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0528ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0538ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x053cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x054cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x055cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x055d0000 | 0x05906fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000005910000 | 0x05910000 | 0x0610ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x05910000 | 0x059f8fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000006110000 | 0x06110000 | 0x0690ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006910000 | 0x06910000 | 0x06921fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74860000 | 0x7487afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winspool.drv | 0x74880000 | 0x748e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x748f0000 | 0x74af8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74b00000 | 0x74b07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74b10000 | 0x74b30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmmbase.dll | 0x74b40000 | 0x74b62fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x74b70000 | 0x74b93fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x74c40000 | 0x74cd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75030000 | 0x75065fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x755b0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007fe6b000 | 0x7fe6b000 | 0x7fe6dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe6e000 | 0x7fe6e000 | 0x7fe70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe71000 | 0x7fe71000 | 0x7fe73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe74000 | 0x7fe74000 | 0x7fe76fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe77000 | 0x7fe77000 | 0x7fe79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe7a000 | 0x7fe7a000 | 0x7fe7cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe7d000 | 0x7fe7d000 | 0x7fe7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc03e6ffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 190 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\local\relatorio_erros\sqlite3.dll | 626.97 KB |
MD5:
d8aec01ff14e3e7ad43a4b71e30482e4
SHA1: e3015f56f17d845ec7eef11d41bbbc28cc16d096 SHA256: da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e |
|
|
Host Behavior
COM (7)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
5 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\localhost\root\SecurityCenter2 |
|
1 |
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\SICE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | \\.\SIWVID | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | \\.\NTICE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\system32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_SYSTEM, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Relatorio_Erros\sqlite3.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Local\Relatorio_Erros | - |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\LocalRelatorio_Erros | type = file_attributes |
|
1 | |
| Read | C:\Windows\system32\ntdll.dll | size = 32, size_out = 32 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Relatorio_Erros\sqlite3.dll | size = 642016 |
|
1 |
Registry (20)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Relatorio_Erros | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Wine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Hardware\description\System | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Relatorio_Erros | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | value_name = DriverDesc, data = 77 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\description\System | value_name = SystemBiosVersion, data = 76 |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Hardware\description\System | value_name = VideoBiosVersion, data = 76 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = csrss, size = 1, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = svchost, data = "C:\Users\CIiHmnxMn6Ps\AppData\Local\Relatorio_Erros\svchost.exe", size = 66, type = REG_SZ |
|
1 |
Module (110)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x74d70000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x77990000 |
|
1 | |
| Load | NTDLL.dll | base_address = 0x77c40000 |
|
1 | |
| Load | winmm.dll | base_address = 0x74b70000 |
|
3 | |
| Load | NTDLL | base_address = 0x77c40000 |
|
1 | |
| Load | kernel32.dll | base_address = 0x77670000 |
|
4 | |
| Load | user32.dll | base_address = 0x74d70000 |
|
3 | |
| Load | advapi32.dll | base_address = 0x77990000 |
|
3 | |
| Load | oleaut32.dll | base_address = 0x77ba0000 |
|
3 | |
| Load | version.dll | base_address = 0x74b00000 |
|
1 | |
| Load | gdi32.dll | base_address = 0x76ca0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77430000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x748f0000 |
|
1 | |
| Load | winspool.drv | base_address = 0x74880000 |
|
1 | |
| Load | shell32.dll | base_address = 0x755b0000 |
|
2 | |
| Load | wsock32.dll | base_address = 0x74850000 |
|
1 | |
| Load | SHFolder.dll | base_address = 0x74840000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x74eb0000 |
|
2 | |
| Load | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.EN | base_address = 0x0 |
|
1 | |
| Load | olepro32.dll | base_address = 0x74820000 |
|
1 | |
| Load | uxtheme.dll | base_address = 0x74bc0000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x77990000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77c40000 |
|
16 | |
| Get Handle | kmon.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\combase.dll | base_address = 0x77090000 |
|
7 | |
| Get Handle | ws2_32 | base_address = 0x77930000 |
|
19 | |
| Get Handle | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x77ba0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x74d70000 |
|
3 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\comctl32.dll | base_address = 0x748f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x77430000 |
|
1 | |
| Get Filename | kmon.dll | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 256 |
|
1 | |
| Get Filename | kmon.dll | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 512 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 261 |
|
1 | |
| Get Filename | kmon.dll | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.EN | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, size = 261 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7768a410 |
|
1 | |
| Get Address | c:\windows\syswow64\winmm.dll | function = timeGetTime, address_out = 0x74b73a10 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenThread, address_out = 0x77ca9d70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77ca8f40 |
|
7 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77c7da90 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address_out = 0x779b0c20 |
|
1 | |
| Create Mapping | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\CIiHmnxMn6Ps\AppData\Local\nzpnpqiti\86976.exe | process_name = c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe, desired_access = FILE_MAP_READ |
|
1 |
Window (42)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = OLLYDBG |
|
14 | |
| Find | - | class_name = GBDYLLO |
|
14 | |
| Find | - | class_name = pediy06 |
|
14 |
System (343)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 50 milliseconds (0.050 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
144 | |
| Sleep | duration = 2001 milliseconds (2.001 seconds) |
|
136 | |
| Sleep | duration = 125 milliseconds (0.125 seconds) |
|
4 | |
| Get Time | type = Local Time, time = 2018-05-02 23:27:47 (Local Time) |
|
1 | |
| Get Time | type = Local Time, time = 2018-05-02 23:27:55 (Local Time) |
|
1 | |
| Get Info | type = Operating System |
|
40 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
3 | |
| Get Info | type = SYSTEM_MODULE_INFORMATION |
|
7 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Relatorio_Erros |
|
1 | |
| Open | mutex_name = Relatorio_Erros, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Debug (19)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | - |
|
2 | |
| Check for Presence | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | - |
|
14 | |
| Check for Presence | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | - |
|
1 | |
| Hide | c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | - |
|
1 | |
| c:\users\ciihmnxmn6ps\appdata\local\nzpnpqiti\86976.exe | type = DEBUG_STRING, text = %s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.fuente-ovejuna.cz, address_out = 46.28.105.149 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 239 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | www.fuente-ovejuna.cz |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/3.0 (compatible; Indy Library) |
| Server Name | www.fuente-ovejuna.cz |
| Server Port | 80 |
| Data Sent | 239 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/3.0 (compatible; Indy Library), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.fuente-ovejuna.cz, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /admin/includes/css.php |
|
1 | |
| Send HTTP Request | headers = content-length: 42, connection: keep-alive, accept: text/html, */*, user-agent: Mozilla/3.0 (compatible; Indy Library), host: www.fuente-ovejuna.cz, content-type: application/x-www-form-urlencoded, url = www.fuente-ovejuna.cz/admin/includes/css.php |
|
1 |
Process #4: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: RPC Server |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
C60
0x
C80
0x
C98
0x
C68
0x
FB4
0x
F68
0x
EA4
0x
544
0x
BF8
0x
9AC
0x
A38
0x
798
0x
878
0x
870
0x
784
0x
780
0x
754
0x
750
0x
740
0x
73C
0x
738
0x
734
0x
688
0x
730
0x
724
0x
71C
0x
70C
0x
708
0x
6F4
0x
6EC
0x
6D4
0x
6B4
0x
694
0x
680
0x
664
0x
650
0x
64C
0x
630
0x
628
0x
5F8
0x
5E4
0x
5CC
0x
5C4
0x
574
0x
558
0x
530
0x
4DC
0x
414
0x
118
0x
FC
0x
140
0x
1A0
0x
14C
0x
154
0x
130
0x
160
0x
F8
0x
3DC
0x
3D8
0x
3D0
0x
3CC
0x
3C8
0x
37C
0x
D0C
0x
CF0
0x
758
0x
774
0x
B00
0x
744
0x
6C8
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5e10000 | 0x51e5e10000 | 0x51e5e1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| svchost.exe.mui | 0x51e5e20000 | 0x51e5e20fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e5e30000 | 0x51e5e30000 | 0x51e5e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5e50000 | 0x51e5e50000 | 0x51e5ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ed0000 | 0x51e5ed0000 | 0x51e5ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5ee0000 | 0x51e5ee0000 | 0x51e5ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5ef0000 | 0x51e5ef0000 | 0x51e5ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x51e5f00000 | 0x51e5fbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e5fc0000 | 0x51e5fc0000 | 0x51e5fc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fd0000 | 0x51e5fd0000 | 0x51e5fd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fe0000 | 0x51e5fe0000 | 0x51e5fe0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ff0000 | 0x51e5ff0000 | 0x51e5ff0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e6000000 | 0x51e6000000 | 0x51e60fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6100000 | 0x51e6100000 | 0x51e617ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6180000 | 0x51e6180000 | 0x51e6180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6190000 | 0x51e6190000 | 0x51e6190fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e61a0000 | 0x51e61a0000 | 0x51e61a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e61b0000 | 0x51e61b0000 | 0x51e61b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x51e61c0000 | 0x51e61c3fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x51e61d0000 | 0x51e61d3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e61e0000 | 0x51e61e0000 | 0x51e61e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| iphlpsvc.dll.mui | 0x51e61f0000 | 0x51e61fcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6200000 | 0x51e6200000 | 0x51e62fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6300000 | 0x51e6300000 | 0x51e6487fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6490000 | 0x51e6490000 | 0x51e6610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6620000 | 0x51e6620000 | 0x51e66dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e66e0000 | 0x51e66e0000 | 0x51e675ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6760000 | 0x51e6760000 | 0x51e67dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e67e0000 | 0x51e67e0000 | 0x51e68dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e68e0000 | 0x51e68e0000 | 0x51e69dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e69e0000 | 0x51e69e0000 | 0x51e6adffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db | 0x51e6ae0000 | 0x51e6b22fff | Memory Mapped File | Readable |
|
|
|
- |
| propsys.dll.mui | 0x51e6b30000 | 0x51e6b40fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6b50000 | 0x51e6b50000 | 0x51e6b56fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6b60000 | 0x51e6b60000 | 0x51e6bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6be0000 | 0x51e6be0000 | 0x51e6be1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gpsvc.dll.mui | 0x51e6bf0000 | 0x51e6bfcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6c00000 | 0x51e6c00000 | 0x51e6cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x51e6d00000 | 0x51e7036fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7040000 | 0x51e7040000 | 0x51e713ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7140000 | 0x51e7140000 | 0x51e723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7240000 | 0x51e7240000 | 0x51e733ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7340000 | 0x51e7340000 | 0x51e743ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7440000 | 0x51e7440000 | 0x51e74bffff | Private Memory | Readable, Writable |
|
|
|
- |
| vsstrace.dll.mui | 0x51e74c0000 | 0x51e74c8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e74d0000 | 0x51e74d0000 | 0x51e74d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| activeds.dll.mui | 0x51e74e0000 | 0x51e74e1fff | Memory Mapped File | Readable |
|
|
|
- |
| winnlsres.dll | 0x51e74f0000 | 0x51e74f4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7500000 | 0x51e7500000 | 0x51e75fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7600000 | 0x51e7600000 | 0x51e76fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7700000 | 0x51e7700000 | 0x51e777ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7780000 | 0x51e7780000 | 0x51e787ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7880000 | 0x51e7880000 | 0x51e797ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7980000 | 0x51e7980000 | 0x51e7a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7a80000 | 0x51e7a80000 | 0x51e7afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7b00000 | 0x51e7b00000 | 0x51e7bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x51e7c00000 | 0x51e7c8afff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7c90000 | 0x51e7c90000 | 0x51e7d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7d90000 | 0x51e7d90000 | 0x51e7e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7e90000 | 0x51e7e90000 | 0x51e7f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| dosvc.dll.mui | 0x51e7fb0000 | 0x51e7fb0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e7fd0000 | 0x51e7fd0000 | 0x51e7fd1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winnlsres.dll.mui | 0x51e7fe0000 | 0x51e7feffff | Memory Mapped File | Readable |
|
|
|
- |
| mswsock.dll.mui | 0x51e7ff0000 | 0x51e7ff2fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e8010000 | 0x51e8010000 | 0x51e8010fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8020000 | 0x51e8020000 | 0x51e8022fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e8030000 | 0x51e8030000 | 0x51e8030fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8040000 | 0x51e8040000 | 0x51e8040fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8050000 | 0x51e8050000 | 0x51e80cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8110000 | 0x51e8110000 | 0x51e820ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8290000 | 0x51e8290000 | 0x51e838ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8390000 | 0x51e8390000 | 0x51e848ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8490000 | 0x51e8490000 | 0x51e850ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8510000 | 0x51e8510000 | 0x51e860ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8630000 | 0x51e8630000 | 0x51e8636fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8700000 | 0x51e8700000 | 0x51e87fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8800000 | 0x51e8800000 | 0x51e88fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8900000 | 0x51e8900000 | 0x51e89fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8a80000 | 0x51e8a80000 | 0x51e8b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c00000 | 0x51e8c00000 | 0x51e8c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c80000 | 0x51e8c80000 | 0x51e8d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8e00000 | 0x51e8e00000 | 0x51e8e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8f00000 | 0x51e8f00000 | 0x51e8ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9000000 | 0x51e9000000 | 0x51e90fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9100000 | 0x51e9100000 | 0x51e917ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9180000 | 0x51e9180000 | 0x51e91fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9200000 | 0x51e9200000 | 0x51e92fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9300000 | 0x51e9300000 | 0x51e93fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9400000 | 0x51e9400000 | 0x51e94fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9500000 | 0x51e9500000 | 0x51e95fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9600000 | 0x51e9600000 | 0x51e96fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9700000 | 0x51e9700000 | 0x51e97fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9800000 | 0x51e9800000 | 0x51e98fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9900000 | 0x51e9900000 | 0x51e99fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9a00000 | 0x51e9a00000 | 0x51e9afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9b00000 | 0x51e9b00000 | 0x51e9bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9c00000 | 0x51e9c00000 | 0x51e9cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9d00000 | 0x51e9d00000 | 0x51e9dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9e00000 | 0x51e9e00000 | 0x51e9efffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x51e9f00000 | 0x51e9fdefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e9fe0000 | 0x51e9fe0000 | 0x51ea0dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea0e0000 | 0x51ea0e0000 | 0x51ea15ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea170000 | 0x51ea170000 | 0x51ea176fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea180000 | 0x51ea180000 | 0x51ea27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea300000 | 0x51ea300000 | 0x51ea3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea400000 | 0x51ea400000 | 0x51ea4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea700000 | 0x51ea700000 | 0x51ea7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea800000 | 0x51ea800000 | 0x51ea8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea900000 | 0x51ea900000 | 0x51ea9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eaa00000 | 0x51eaa00000 | 0x51eaafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eab00000 | 0x51eab00000 | 0x51eabfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eac00000 | 0x51eac00000 | 0x51eacfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ead00000 | 0x51ead00000 | 0x51eadfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb000000 | 0x51eb000000 | 0x51eb0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb130000 | 0x51eb130000 | 0x51eb136fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb1c0000 | 0x51eb1c0000 | 0x51eb1c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb200000 | 0x51eb200000 | 0x51eb2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eba00000 | 0x51eba00000 | 0x51ebafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebb00000 | 0x51ebb00000 | 0x51ebbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebd00000 | 0x51ebd00000 | 0x51ebdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ec300000 | 0x51ec300000 | 0x51ec3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ece00000 | 0x51ece00000 | 0x51ecefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ecf00000 | 0x51ecf00000 | 0x51ecffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ed000000 | 0x51ed000000 | 0x51ed0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffdb0000 | 0x7df5ffdb0000 | 0x7ff5ffdaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7b3a88000 | 0x7ff7b3a88000 | 0x7ff7b3a89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3a8a000 | 0x7ff7b3a8a000 | 0x7ff7b3a8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aaa000 | 0x7ff7b3aaa000 | 0x7ff7b3aabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aac000 | 0x7ff7b3aac000 | 0x7ff7b3aadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab0000 | 0x7ff7b3ab0000 | 0x7ff7b3ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab2000 | 0x7ff7b3ab2000 | 0x7ff7b3ab3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3abe000 | 0x7ff7b3abe000 | 0x7ff7b3abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac0000 | 0x7ff7b3ac0000 | 0x7ff7b3ac1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac2000 | 0x7ff7b3ac2000 | 0x7ff7b3ac3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac4000 | 0x7ff7b3ac4000 | 0x7ff7b3ac5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aca000 | 0x7ff7b3aca000 | 0x7ff7b3acbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3acc000 | 0x7ff7b3acc000 | 0x7ff7b3acdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ace000 | 0x7ff7b3ace000 | 0x7ff7b3acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad0000 | 0x7ff7b3ad0000 | 0x7ff7b3ad1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad2000 | 0x7ff7b3ad2000 | 0x7ff7b3ad3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad4000 | 0x7ff7b3ad4000 | 0x7ff7b3ad5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad6000 | 0x7ff7b3ad6000 | 0x7ff7b3ad7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad8000 | 0x7ff7b3ad8000 | 0x7ff7b3ad9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ada000 | 0x7ff7b3ada000 | 0x7ff7b3adbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3adc000 | 0x7ff7b3adc000 | 0x7ff7b3addfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ade000 | 0x7ff7b3ade000 | 0x7ff7b3adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ae0000 | 0x7ff7b3ae0000 | 0x7ff7b3ae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ae2000 | 0x7ff7b3ae2000 | 0x7ff7b3ae3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ae4000 | 0x7ff7b3ae4000 | 0x7ff7b3ae5fff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 324 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #5: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | C:\Windows\system32\sc.exe start wuauserv |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf8 |
| Parent PID | 0x378 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
D08
0x
4CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000004ab9710000 | 0x4ab9710000 | 0x4ab972ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004ab9710000 | 0x4ab9710000 | 0x4ab971ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004ab9720000 | 0x4ab9720000 | 0x4ab9726fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004ab9730000 | 0x4ab9730000 | 0x4ab9743fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004ab9750000 | 0x4ab9750000 | 0x4ab97cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004ab97d0000 | 0x4ab97d0000 | 0x4ab97d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004ab97e0000 | 0x4ab97e0000 | 0x4ab97e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004ab97f0000 | 0x4ab97f0000 | 0x4ab97f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x4ab9800000 | 0x4ab98bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004ab98c0000 | 0x4ab98c0000 | 0x4ab993ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004ab9940000 | 0x4ab9940000 | 0x4ab9946fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004ab9950000 | 0x4ab9950000 | 0x4ab995ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x4ab9960000 | 0x4ab9971fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004ab99b0000 | 0x4ab99b0000 | 0x4ab9aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffd90000 | 0x7df5ffd90000 | 0x7ff5ffd8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7527f0000 | 0x7ff7527f0000 | 0x7ff7528effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7528f0000 | 0x7ff7528f0000 | 0x7ff752912fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff75291a000 | 0x7ff75291a000 | 0x7ff75291bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75291c000 | 0x7ff75291c000 | 0x7ff75291dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff75291e000 | 0x7ff75291e000 | 0x7ff75291efff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x7ff752c80000 | 0x7ff752c95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 425 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x7ff752c80000 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = wuauserv |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Start | service_name = wuauserv |
|
1 |
Process #8: services.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:51, Reason: Created Daemon |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e4 |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
36C
0x
358
0x
30C
0x
260
0x
240
0x
238
0x
66C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4161d0000 | 0xa4161d0000 | 0xa4161dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| services.exe.mui | 0xa4161e0000 | 0xa4161e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a4161f0000 | 0xa4161f0000 | 0xa416203fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a416290000 | 0xa416290000 | 0xa416293fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4162a0000 | 0xa4162a0000 | 0xa4162a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0xa4162b0000 | 0xa41636dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a416370000 | 0xa416370000 | 0xa416370fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a4163d0000 | 0xa4163d0000 | 0xa4163d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416400000 | 0xa416400000 | 0xa4164fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416580000 | 0xa416580000 | 0xa4165fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416600000 | 0xa416600000 | 0xa41667ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416680000 | 0xa416680000 | 0xa4166fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416750000 | 0xa416750000 | 0xa416756fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416800000 | 0xa416800000 | 0xa4168fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416980000 | 0xa416980000 | 0xa4169fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b00000 | 0xa416b00000 | 0xa416b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b80000 | 0xa416b80000 | 0xa416bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416c00000 | 0xa416c00000 | 0xa416cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff8b0000 | 0x7df5ff8b0000 | 0x7ff5ff8affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff64fbc4000 | 0x7ff64fbc4000 | 0x7ff64fbc5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbc6000 | 0x7ff64fbc6000 | 0x7ff64fbc7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbcc000 | 0x7ff64fbcc000 | 0x7ff64fbcdfff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64fbd0000 | 0x7ff64fbd0000 | 0x7ff64fccffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff64fcd0000 | 0x7ff64fcd0000 | 0x7ff64fcf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64fcf5000 | 0x7ff64fcf5000 | 0x7ff64fcf5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf6000 | 0x7ff64fcf6000 | 0x7ff64fcf7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf8000 | 0x7ff64fcf8000 | 0x7ff64fcf9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcfa000 | 0x7ff64fcfa000 | 0x7ff64fcfbfff | Private Memory | Readable, Writable |
|
|
|
- |
| services.exe | 0x7ff650490000 | 0x7ff6504fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usermgrcli.dll | 0x7ffbfd180000 | 0x7ffbfd18ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ffbff9b0000 | 0x7ffbff9f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scesrv.dll | 0x7ffbffa00000 | 0x7ffbffa8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffbffb00000 | 0x7ffbffb25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffc00110000 | 0x7ffc0016cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc004c0000 | 0x7ffc004ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| spinf.dll | 0x7ffc00670000 | 0x7ffc0068afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ffc00690000 | 0x7ffc006a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ffc006b0000 | 0x7ffc006b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc008f0000 | 0x7ffc00902fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffc02050000 | 0x7ffc02057fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffc03980000 | 0x7ffc039e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #22: sppsvc.exe
10
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f0 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D00
0x
CE4
0x
8D4
0x
454
0x
554
0x
468
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000e1fea70000 | 0xe1fea70000 | 0xe1fea76fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e1fea80000 | 0xe1fea80000 | 0xe1fea8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e1fea90000 | 0xe1fea90000 | 0xe1feaa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e1feab0000 | 0xe1feab0000 | 0xe1feb2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe1feb30000 | 0xe1febedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e1febf0000 | 0xe1febf0000 | 0xe1fec6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fec70000 | 0xe1fec70000 | 0xe1fec76fff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe.mui | 0xe1fec80000 | 0xe1fec85fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e1fec90000 | 0xe1fec90000 | 0xe1fec90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1feca0000 | 0xe1feca0000 | 0xe1feca0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fecb0000 | 0xe1fecb0000 | 0xe1fecbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fecc0000 | 0xe1fecc0000 | 0xe1feccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fecd0000 | 0xe1fecd0000 | 0xe1fecdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fece0000 | 0xe1fece0000 | 0xe1feddffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e1fede0000 | 0xe1fede0000 | 0xe1fee9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e1feea0000 | 0xe1feea0000 | 0xe1feeaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1fef10000 | 0xe1fef10000 | 0xe1fef1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e1fef20000 | 0xe1fef20000 | 0xe1ff0a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e1ff0b0000 | 0xe1ff0b0000 | 0xe1ff230fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e1ff240000 | 0xe1ff240000 | 0xe1ff2bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ff2c0000 | 0xe1ff2c0000 | 0xe1ff3bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ff3c0000 | 0xe1ff3c0000 | 0xe1ff43ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xe1ff440000 | 0xe1ff776fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e1ff780000 | 0xe1ff780000 | 0xe1ff7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ff800000 | 0xe1ff800000 | 0xe1ff8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ff900000 | 0xe1ff900000 | 0xe1ff97ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ff980000 | 0xe1ff980000 | 0xe1ffa7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ffa80000 | 0xe1ffa80000 | 0xe1ffb81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e1ffb90000 | 0xe1ffb90000 | 0xe1ffc97fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff280000 | 0x7df5ff280000 | 0x7ff5ff27ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7d33be000 | 0x7ff7d33be000 | 0x7ff7d33bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7d33c0000 | 0x7ff7d33c0000 | 0x7ff7d34bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7d34c0000 | 0x7ff7d34c0000 | 0x7ff7d34e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7d34e4000 | 0x7ff7d34e4000 | 0x7ff7d34e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d34e6000 | 0x7ff7d34e6000 | 0x7ff7d34e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d34e8000 | 0x7ff7d34e8000 | 0x7ff7d34e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d34ea000 | 0x7ff7d34ea000 | 0x7ff7d34ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d34ec000 | 0x7ff7d34ec000 | 0x7ff7d34edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7d34ee000 | 0x7ff7d34ee000 | 0x7ff7d34effff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe | 0x7ff7d3da0000 | 0x7ff7d43cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clipc.dll | 0x7ffbeabf0000 | 0x7ffbeac05fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptxml.dll | 0x7ffbeac10000 | 0x7ffbeac31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| webservices.dll | 0x7ffbeb940000 | 0x7ffbebabafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sppobjs.dll | 0x7ffbebcd0000 | 0x7ffbebe47fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sppwinob.dll | 0x7ffbec240000 | 0x7ffbec2d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwapi.dll | 0x7ffbf2780000 | 0x7ffbf2795fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ffbfaa10000 | 0x7ffbfaa26fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ffbfbe40000 | 0x7ffbfbe75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ffbfd340000 | 0x7ffbfd355fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x7ffbfdc10000 | 0x7ffbfdc19fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ffbffaf0000 | 0x7ffbffafbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffbffb00000 | 0x7ffbffb25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc00920000 | 0x7ffc00930fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc01190000 | 0x7ffc01350fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\wwapi.dll | base_address = 0x7ffbf2780000 |
|
1 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ffc03e70000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ffc03f038a0 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanOpenHandle, address_out = 0x7ffbf2781010 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanCloseHandle, address_out = 0x7ffbf2784f40 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanEnumerateInterfaces, address_out = 0x7ffbf2785bb0 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanQueryInterface, address_out = 0x7ffbf2787150 |
|
1 | |
| Get Address | c:\windows\system32\wwapi.dll | function = WwanFreeMemory, address_out = 0x7ffbf2785d60 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 217921 |
|
1 | |
| Get Info | - |
|
1 |
