276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114 (SHA256)
276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe
Windows Exe (x86-32)
Created at 2018-03-06 15:52:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "55 seconds" to "10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: 276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe
559
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf8 |
| Parent PID | 0x5dc (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DFC
0x
E0C
0x
E64
0x
E68
0x
E98
0x
E9C
0x
EA0
0x
F1C
0x
F20
0x
F24
0x
F28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| 276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe | 0x00840000 | 0x008b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000008c0000 | 0x008c0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a36fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a46fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00f77fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x01100fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x0250ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002510000 | 0x02510000 | 0x02581fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x025a0000 | 0x02601fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0261ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0263ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x1a73ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001a740000 | 0x1a740000 | 0x1aaaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001aab0000 | 0x1aab0000 | 0x1abb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001abc0000 | 0x1abc0000 | 0x1acbffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x1acc0000 | 0x1aff6fff | Memory Mapped File | Readable |
|
|
|
- |
| rpcss.dll | 0x1b000000 | 0x1b0d5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000001b000000 | 0x1b000000 | 0x1b1dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b000000 | 0x1b000000 | 0x1b00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b010000 | 0x1b010000 | 0x1b01ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b020000 | 0x1b020000 | 0x1b02ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b030000 | 0x1b030000 | 0x1b03ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b040000 | 0x1b040000 | 0x1b04ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b050000 | 0x1b050000 | 0x1b05ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b060000 | 0x1b060000 | 0x1b06ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b070000 | 0x1b070000 | 0x1b07ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b080000 | 0x1b080000 | 0x1b08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b090000 | 0x1b090000 | 0x1b09ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b0a0000 | 0x1b0a0000 | 0x1b0affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b0b0000 | 0x1b0b0000 | 0x1b0bffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000001b0c0000 | 0x1b0c0000 | 0x1b1bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b1c0000 | 0x1b1c0000 | 0x1b1cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b1d0000 | 0x1b1d0000 | 0x1b1dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b1e0000 | 0x1b1e0000 | 0x1b2dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b2e0000 | 0x1b2e0000 | 0x1b3dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3e0000 | 0x1b3e0000 | 0x1b3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x1b3e0000 | 0x1b4befff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000001b400000 | 0x1b400000 | 0x1b40ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b410000 | 0x1b410000 | 0x1b41ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b420000 | 0x1b420000 | 0x1b42ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| sysmain.sdb | 0x7ff5fedc0000 | 0x7ff5fee2cfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00007ff5fee2e000 | 0x7ff5fee2e000 | 0x7ff5fee2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5fee30000 | 0x7ff5fee30000 | 0x7ff5fee3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff5fee40000 | 0x7ff5fee40000 | 0x7ff5feedffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00007ff5feee0000 | 0x7ff5feee0000 | 0x7ff5fefdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff5fefe0000 | 0x7ff5fefe0000 | 0x7ff5ff002fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff5ff003000 | 0x7ff5ff003000 | 0x7ff5ff004fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff005000 | 0x7ff5ff005000 | 0x7ff5ff006fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff007000 | 0x7ff5ff007000 | 0x7ff5ff008fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff009000 | 0x7ff5ff009000 | 0x7ff5ff00afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff00b000 | 0x7ff5ff00b000 | 0x7ff5ff00cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff00d000 | 0x7ff5ff00d000 | 0x7ff5ff00efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff00f000 | 0x7ff5ff00f000 | 0x7ff5ff00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ffb8ba20000 | 0x7ffb8ba20000 | 0x7ffb8ba2ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8ba30000 | 0x7ffb8ba30000 | 0x7ffb8ba3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8ba40000 | 0x7ffb8ba40000 | 0x7ffb8bacffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bad0000 | 0x7ffb8bad0000 | 0x7ffb8bb3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bb40000 | 0x7ffb8bb40000 | 0x7ffb8bb4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bb50000 | 0x7ffb8bb50000 | 0x7ffb8bb8ffff | Private Memory | - |
|
|
|
- |
| system.core.ni.dll | 0x7ffbe73b0000 | 0x7ffbe7d31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ffbe7d40000 | 0x7ffbe8c1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.drawing.ni.dll | 0x7ffbe8c20000 | 0x7ffbe8e09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7ffbe8e10000 | 0x7ffbe9a23fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clrjit.dll | 0x7ffbe9a30000 | 0x7ffbe9b30fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffbe9c10000 | 0x7ffbeb0aafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffbeb0b0000 | 0x7ffbeb1a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clr.dll | 0x7ffbeb1b0000 | 0x7ffbebb01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7ffbebc10000 | 0x7ffbebca6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7ffbec160000 | 0x7ffbec1c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffbfb2c0000 | 0x7ffbfb2c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ffbff0d0000 | 0x7ffbff147fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ffbff170000 | 0x7ffbff205fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ffc008a0000 | 0x7ffc008e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc008f0000 | 0x7ffc00902fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x7ffc00940000 | 0x7ffc00f67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ffc00fc0000 | 0x7ffc01072fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc015f0000 | 0x7ffc01625fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc02160000 | 0x7ffc022bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ffc022c0000 | 0x7ffc037e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc03a50000 | 0x7ffc03aa0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x7ffc03ad0000 | 0x7ffc03ad7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\local\icosineczo.bin | 373.00 KB |
MD5:
186ab6b31766e04f07fa8b3eb9314bef
SHA1: ebab8b38fd4c556d990be10a21118577e666490f SHA256: 4f7f8918ce69501048d1b846428c509bf352ab662d6e33b82ec93caa72e7f9da |
|
|
Host Behavior
File (314)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\dwm.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\svchost.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Explorer.EXE | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\svchost.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\sihost.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\Icosineczo.bin | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\svchost.exe | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\dwm.exe | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\svchost.exe | type = file_type |
|
4 | |
| Get Info | C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe | type = file_type |
|
2 | |
| Get Info | C:\Windows\Explorer.EXE | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\svchost.exe | type = file_type |
|
2 | |
| Get Info | C:\Windows\system32\sihost.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Icosineczo.bin | type = file_type |
|
2 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 4096 |
|
9 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 2992 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\system32\dwm.exe | size = 4096, size_out = 4096 |
|
11 | |
| Read | C:\Windows\system32\dwm.exe | size = 4096, size_out = 1536 |
|
1 | |
| Read | C:\Windows\system32\dwm.exe | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 4096 |
|
18 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 2992 |
|
2 | |
| Read | C:\Windows\system32\svchost.exe | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe | size = 4096, size_out = 4096 |
|
18 | |
| Read | C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe | size = 4096, size_out = 1536 |
|
1 | |
| Read | C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Explorer.EXE | size = 4096, size_out = 4096 |
|
183 | |
| Read | C:\Windows\System32\svchost.exe | size = 4096, size_out = 4096 |
|
9 | |
| Read | C:\Windows\System32\svchost.exe | size = 4096, size_out = 2992 |
|
1 | |
| Read | C:\Windows\System32\svchost.exe | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\system32\sihost.exe | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\system32\sihost.exe | size = 4096, size_out = 2048 |
|
1 | |
| Read | C:\Windows\system32\sihost.exe | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\Icosineczo.bin | size = 381952 |
|
1 |
Process (54)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\CIiHmnxMn6Ps\AppData\Local\Icosineczo.bin" | os_pid = 0xf0c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\crystal_bath_flip_mixer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\green_wait_minimal_extreme.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office 15\submission_imagine.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\respectivelycsisrael.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\verizon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\labels_nr_appreciate_airplane.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\shortly-joins-spell-atomic.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\beds.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\orleans-analyzes-attachment-shift.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\significance-handheld-co-pregnant.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\implementation-rn-pollution.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\neural.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windowspowershell\locked.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\milwaukee.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\mozilla maintenance service\terminationfaxsuspectedaddress.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows nt\closer ban readings bargains.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\wikipedia.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows photo viewer\norman cognitive.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows photo viewer\chick mali.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\rundll32.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
Module (46)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\dwm.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows mail\crystal_bath_flip_mixer.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\crystal_bath_flip_mixer.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\mozilla firefox\green_wait_minimal_extreme.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\green_wait_minimal_extreme.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office 15\submission_imagine.exe, file_name_orig = C:\Program Files\Microsoft Office 15\submission_imagine.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\respectivelycsisrael.exe, file_name_orig = C:\Program Files\Microsoft Office\respectivelycsisrael.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\system32\backgroundTaskHost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows mail\verizon.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\verizon.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\dllhost.exe, file_name_orig = C:\Windows\system32\DllHost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\reference assemblies\labels_nr_appreciate_airplane.exe, file_name_orig = C:\Program Files\Reference Assemblies\labels_nr_appreciate_airplane.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\mozilla maintenance service\shortly-joins-spell-atomic.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\shortly-joins-spell-atomic.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows photo viewer\beds.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\beds.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows sidebar\orleans-analyzes-attachment-shift.exe, file_name_orig = C:\Program Files (x86)\Windows Sidebar\orleans-analyzes-attachment-shift.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\adobe\significance-handheld-co-pregnant.exe, file_name_orig = C:\Program Files (x86)\Adobe\significance-handheld-co-pregnant.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\spoolsv.exe, file_name_orig = C:\Windows\System32\spoolsv.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\lsass.exe, file_name_orig = C:\Windows\system32\lsass.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, file_name_orig = C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\mozilla maintenance service\implementation-rn-pollution.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\implementation-rn-pollution.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows sidebar\neural.exe, file_name_orig = C:\Program Files\Windows Sidebar\neural.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windowspowershell\locked.exe, file_name_orig = C:\Program Files\WindowsPowerShell\locked.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\mozilla maintenance service\milwaukee.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\milwaukee.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\mozilla maintenance service\terminationfaxsuspectedaddress.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\terminationfaxsuspectedaddress.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, file_name_orig = C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows nt\closer ban readings bargains.exe, file_name_orig = C:\Program Files (x86)\Windows NT\closer ban readings bargains.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows mail\wikipedia.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\wikipedia.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\winlogon.exe, file_name_orig = C:\Windows\system32\winlogon.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\system32\taskhostw.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\windows photo viewer\norman cognitive.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\norman cognitive.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\system32\taskhostw.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\windows photo viewer\chick mali.exe, file_name_orig = C:\Program Files (x86)\Windows Photo Viewer\chick mali.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\system32\backgroundTaskHost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\System32\svchost.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\sihost.exe, file_name_orig = C:\Windows\system32\sihost.exe, size = 2048 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
15 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Sleep | duration = 20 milliseconds (0.020 seconds) |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
4 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Process #2: icosineczo.bin
806
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\users\ciihmnxmn6ps\appdata\local\icosineczo.bin |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Local\Icosineczo.bin" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0c |
| Parent PID | 0xdf8 (c:\users\ciihmnxmn6ps\desktop\276dfc5994510eb3186bc273360e01487994723246fbbd296e9215d268888114.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F10
0x
F34
0x
F38
0x
F3C
0x
F40
0x
F44
0x
F48
0x
FB8
0x
FC0
0x
8D4
0x
4D0
0x
604
0x
634
0x
8F8
0x
C60
0x
250
0x
1A4
0x
A14
0x
B40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| icosineczo.bin | 0x00ad0000 | 0x00b35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b56fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00cb0000 | 0x00d6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f76fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f96fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01030fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0104ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x010cdfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x01277fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01400fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001410000 | 0x01410000 | 0x0280ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0290ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x02910000 | 0x02971fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x0298ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x029cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x0299ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x029cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x029dffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x1a9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001a9e0000 | 0x1a9e0000 | 0x1ad4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ad50000 | 0x1ad50000 | 0x1ae5afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ae60000 | 0x1ae60000 | 0x1af5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x1af60000 | 0x1b296fff | Memory Mapped File | Readable |
|
|
|
- |
| rpcss.dll | 0x1b2a0000 | 0x1b375fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000001b2a0000 | 0x1b2a0000 | 0x1b39ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3a0000 | 0x1b3a0000 | 0x1b3affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3b0000 | 0x1b3b0000 | 0x1b3bffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000001b3c0000 | 0x1b3c0000 | 0x1b4bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b4c0000 | 0x1b4c0000 | 0x1b5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b5c0000 | 0x1b5c0000 | 0x1b5cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000001b5c0000 | 0x1b5c0000 | 0x1b607fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b5d0000 | 0x1b5d0000 | 0x1b5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b5e0000 | 0x1b5e0000 | 0x1b5effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b5f0000 | 0x1b5f0000 | 0x1b5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b600000 | 0x1b600000 | 0x1b60ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b610000 | 0x1b610000 | 0x1b61ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b610000 | 0x1b610000 | 0x1b70ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b620000 | 0x1b620000 | 0x1b62ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b630000 | 0x1b630000 | 0x1b64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b630000 | 0x1b630000 | 0x1b63ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b640000 | 0x1b640000 | 0x1b64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b650000 | 0x1b650000 | 0x1b65ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b660000 | 0x1b660000 | 0x1b66ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b670000 | 0x1b670000 | 0x1b67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b680000 | 0x1b680000 | 0x1b68ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b710000 | 0x1b710000 | 0x1b80ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b810000 | 0x1b810000 | 0x1b90ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b910000 | 0x1b910000 | 0x1ba0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ba10000 | 0x1ba10000 | 0x1bb0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000001bb10000 | 0x1bb10000 | 0x1bb52fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000001bb60000 | 0x1bb60000 | 0x1bb8cfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001bb90000 | 0x1bb90000 | 0x1bc8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001bc90000 | 0x1bc90000 | 0x1bd8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001bd90000 | 0x1bd90000 | 0x1be8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00007ff5ff670000 | 0x7ff5ff670000 | 0x7ff5ff671fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff672000 | 0x7ff5ff672000 | 0x7ff5ff673fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff674000 | 0x7ff5ff674000 | 0x7ff5ff675fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff676000 | 0x7ff5ff676000 | 0x7ff5ff677fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff678000 | 0x7ff5ff678000 | 0x7ff5ff679fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff67a000 | 0x7ff5ff67a000 | 0x7ff5ff67bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff67c000 | 0x7ff5ff67c000 | 0x7ff5ff67dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff67e000 | 0x7ff5ff67e000 | 0x7ff5ff67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff680000 | 0x7ff5ff680000 | 0x7ff5ff68ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ff5ff690000 | 0x7ff5ff690000 | 0x7ff5ff72ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00007ff5ff730000 | 0x7ff5ff730000 | 0x7ff5ff82ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff5ff830000 | 0x7ff5ff830000 | 0x7ff5ff852fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff5ff853000 | 0x7ff5ff853000 | 0x7ff5ff854fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff855000 | 0x7ff5ff855000 | 0x7ff5ff856fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff857000 | 0x7ff5ff857000 | 0x7ff5ff858fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff859000 | 0x7ff5ff859000 | 0x7ff5ff85afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff85b000 | 0x7ff5ff85b000 | 0x7ff5ff85cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff85d000 | 0x7ff5ff85d000 | 0x7ff5ff85efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff5ff85f000 | 0x7ff5ff85f000 | 0x7ff5ff85ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ffb8bb90000 | 0x7ffb8bb90000 | 0x7ffb8bb9ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bba0000 | 0x7ffb8bba0000 | 0x7ffb8bbaffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bbb0000 | 0x7ffb8bbb0000 | 0x7ffb8bc3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bc40000 | 0x7ffb8bc40000 | 0x7ffb8bcaffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bcb0000 | 0x7ffb8bcb0000 | 0x7ffb8bcbffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bcc0000 | 0x7ffb8bcc0000 | 0x7ffb8bcfffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bd00000 | 0x7ffb8bd00000 | 0x7ffb8bd0ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bd10000 | 0x7ffb8bd10000 | 0x7ffb8bd1ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ffb8bd20000 | 0x7ffb8bd20000 | 0x7ffb8bd2ffff | Private Memory | - |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ffbe6390000 | 0x7ffbe726ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wminet_utils.dll | 0x7ffbe8460000 | 0x7ffbe846bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7ffbe8700000 | 0x7ffbe885efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7ffbe8f20000 | 0x7ffbe9b33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clrjit.dll | 0x7ffbe9da0000 | 0x7ffbe9ea0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7ffbe9eb0000 | 0x7ffbeb34afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clr.dll | 0x7ffbeb350000 | 0x7ffbebca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7ffbec160000 | 0x7ffbec1c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr120_clr0400.dll | 0x7ffbec2a0000 | 0x7ffbec396fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7ffbec3a0000 | 0x7ffbec436fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmiutils.dll | 0x7ffbf6120000 | 0x7ffbf6144fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x7ffbf6150000 | 0x7ffbf6163fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x7ffbf6170000 | 0x7ffbf6267fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x7ffbf64d0000 | 0x7ffbf64e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x7ffbfa160000 | 0x7ffbfa1defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7ffbfb2c0000 | 0x7ffbfb2c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ffbff0d0000 | 0x7ffbff147fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffc01540000 | 0x7ffc015e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffc015f0000 | 0x7ffc01625fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffc02050000 | 0x7ffc02057fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffc02160000 | 0x7ffc022bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffc03980000 | 0x7ffc039e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffc03a50000 | 0x7ffc03aa0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 21 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\documents\database1.accdb | 348.00 KB |
MD5:
0affb996a3d753e52944587f1949b434
SHA1: 073cc2544d7db1bb48ee1f1742b40b8452baed3a SHA256: 69313f9e8400235f34fe6f09c8789fadfb2bff8d19d19fda69782cc0085c652f |
|
|
| c:\users\ciihmnxmn6ps\documents\database1.accdb | 348.04 KB |
MD5:
2e6813acd120565be9c33bfe27bcf013
SHA1: 81dfc5d15bd304167463ca46916829dfa3dbbbba SHA256: 04d1af35c31806b0b70070fe7b45c9f3f77daeb61e222cc9d6cb0f5c74de1fd1 |
|
|
| c:\users\ciihmnxmn6ps\desktop\i4r-ul5\yxxexh\xq6rk6uq64dvg1c.avi | 69.63 KB |
MD5:
c5adfc861c7f8e34c6780adc95727876
SHA1: 900fe27c29cb830233a23446e265b7435fcc74e5 SHA256: c4925f97c5939cc6abe1bd3c0826b711ee6aaeaf8507c73836ee1bd8e2efb403 |
|
|
| c:\users\ciihmnxmn6ps\desktop\i4r-ul5\yxxexh\xq6rk6uq64dvg1c.avi | 69.66 KB |
MD5:
ea15ca3be4e77f2697033b37d6b13b40
SHA1: e6b8e164a7065c1e67b0748e37a5a5acf0a18c66 SHA256: b6abc966fef57b7ba6cc8afb4234f753ff3fd661f8923051c4602ee9b53d398f |
|
|
| c:\users\ciihmnxmn6ps\desktop\phqq\hnnrdpa\vm9rzszbg2b2vr2.avi | 97.06 KB |
MD5:
bdd673b0dd4e1e770b5253a6e9383594
SHA1: 879261e7b3d7f41c407e79dd5da6c1ea72afbdf5 SHA256: 8cdcb2d8d8434ee55c9c9c0b7565ad3a6c9691470d0dc825c0f13dfdb73cf185 |
|
|
| c:\users\ciihmnxmn6ps\desktop\phqq\hnnrdpa\vm9rzszbg2b2vr2.avi | 97.10 KB |
MD5:
be74b1fc220d9168e6ed190f68b9d773
SHA1: 5f47f7d95e7fe6f648a79db0a8d417ca2a81e6d0 SHA256: 73b86fd70e00fbf33fc5d17cf8209988299e5fecb30ea2c5033d8a8d10f7b220 |
|
|
| c:\users\ciihmnxmn6ps\documents\woti l543fb\xljhq-trrewg.csv | 70.42 KB |
MD5:
3b0a062839ef2d945084f41b11081d9c
SHA1: 467f132d345dbe2e5b01e87fcc30dbb2ea14a64b SHA256: 16fc1803b0ed60de6b82db5c94769af7651f7b98ebaa630cb48f7d17810284c4 |
|
|
Host Behavior
COM (5)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\root\SecurityCenter2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM AntiVirusProduct |
|
1 |
File (88)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\woTi L543Fb\XljhQ-TRREwg.csv | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents\woTi L543Fb\XljhQ-TRREwg.csv | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\$RECYCLE.BIN | type = file_attributes |
|
1 | |
| Get Info | C:\BOOT | type = file_attributes |
|
1 | |
| Get Info | C:\DOCUMENTS AND SETTINGS | type = file_attributes |
|
1 | |
| Get Info | C:\PERFLOGS | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRAM FILES | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRAM FILES (X86) | type = file_attributes |
|
1 | |
| Get Info | C:\PROGRAMDATA | type = file_attributes |
|
1 | |
| Get Info | C:\RECOVERY | type = file_attributes |
|
1 | |
| Get Info | C:\SYSTEM VOLUME INFORMATION | type = file_attributes |
|
1 | |
| Get Info | C:\USERS | type = file_attributes |
|
1 | |
| Get Info | C:\WINDOWS | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\$Recycle.Bin | type = file_attributes |
|
2 | |
| Get Info | C:\Boot | type = file_attributes |
|
2 | |
| Get Info | C:\PerfLogs | type = file_attributes |
|
2 | |
| Get Info | C:\Recovery | type = file_attributes |
|
2 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = file_type |
|
8 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = size, size_out = 0 |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | type = file_type |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | type = size, size_out = 0 |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | type = file_type |
|
8 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | type = size, size_out = 0 |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\woTi L543Fb\XljhQ-TRREwg.csv | type = file_type |
|
4 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | size = 4096, size_out = 36 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | size = 356352, size_out = 356352 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | size = 71296, size_out = 71296 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | size = 4096, size_out = 36 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | size = 99328, size_out = 99328 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | size = 4096, size_out = 2781 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | size = 356352 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | size = 36 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | size = 71296 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop\I4R-uL5\YxXEXh\XQ6rK6UQ64DvG1c.avi | size = 36 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | size = 99328 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop\pHqq\HNnrDpa\vM9Rzszbg2B2vr2.avi | size = 36 |
|
1 | |
| Write | - | size = 72064 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents\woTi L543Fb\XljhQ-TRREwg.csv | size = 36 |
|
1 |
Registry (18)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2007, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2008, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 |
Module (53)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\wminet_utils.dll | base_address = 0x7ffbe8460000 |
|
1 | |
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0x1b3a0001 |
|
3 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = ResetSecurity, address_out = 0x7ffbe8462738 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = SetSecurity, address_out = 0x7ffbe8462794 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = BlessIWbemServices, address_out = 0x7ffbe84619d0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = BlessIWbemServicesObject, address_out = 0x7ffbe8461a70 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetPropertyHandle, address_out = 0x7ffbe84622a0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = WritePropertyValue, address_out = 0x7ffbe84628e4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = Clone, address_out = 0x7ffbe8461b10 |
|
2 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = VerifyClientKey, address_out = 0x7ffbe846283c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetQualifierSet, address_out = 0x7ffbe8462324 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = Get, address_out = 0x7ffbe8462124 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = Put, address_out = 0x7ffbe84623d4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = Delete, address_out = 0x7ffbe8461ea0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetNames, address_out = 0x7ffbe8462250 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = BeginEnumeration, address_out = 0x7ffbe84619b0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = Next, address_out = 0x7ffbe8462354 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = EndEnumeration, address_out = 0x7ffbe8461f78 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetPropertyQualifierSet, address_out = 0x7ffbe8462310 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetObjectText, address_out = 0x7ffbe846228c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = SpawnDerivedClass, address_out = 0x7ffbe8462800 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = SpawnInstance, address_out = 0x7ffbe8462814 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = CompareTo, address_out = 0x7ffbe8461bd0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetPropertyOrigin, address_out = 0x7ffbe84622f8 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = InheritsFrom, address_out = 0x7ffbe8462334 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetMethod, address_out = 0x7ffbe84621e4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = PutMethod, address_out = 0x7ffbe84625b4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = DeleteMethod, address_out = 0x7ffbe8461eb0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = BeginMethodEnumeration, address_out = 0x7ffbe84619c0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = NextMethod, address_out = 0x7ffbe8462398 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = EndMethodEnumeration, address_out = 0x7ffbe8461f84 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetMethodQualifierSet, address_out = 0x7ffbe8462238 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetMethodOrigin, address_out = 0x7ffbe8462220 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_Get, address_out = 0x7ffbe846261c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_Put, address_out = 0x7ffbe84626a4 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_Delete, address_out = 0x7ffbe8462600 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_GetNames, address_out = 0x7ffbe8462658 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_BeginEnumeration, address_out = 0x7ffbe84625f0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_Next, address_out = 0x7ffbe846266c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = QualifierSet_EndEnumeration, address_out = 0x7ffbe8462610 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetCurrentApartmentType, address_out = 0x7ffbe8462324 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = GetDemultiplexedStub, address_out = 0x7ffbe8462168 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = CreateInstanceEnumWmi, address_out = 0x7ffbe8461de0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = CreateClassEnumWmi, address_out = 0x7ffbe8461d24 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = ExecQueryWmi, address_out = 0x7ffbe846205c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = ExecNotificationQueryWmi, address_out = 0x7ffbe8461f94 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = PutInstanceWmi, address_out = 0x7ffbe84624e0 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = PutClassWmi, address_out = 0x7ffbe846240c |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = CloneEnumWbemClassObject, address_out = 0x7ffbe8461b20 |
|
1 | |
| Get Address | c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll | function = ConnectServerWmi, address_out = 0x7ffbe8461be8 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (634)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
2 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
470 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
3 | |
| Sleep | duration = 55000 milliseconds (55.000 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
150 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_ENABLE_PROFILING |
|
3 |
Process #4: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:14, Reason: RPC Server |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FF4
0x
FF0
0x
FEC
0x
FE8
0x
FE4
0x
FE0
0x
FDC
0x
FD8
0x
FB4
0x
EF4
0x
EF0
0x
EEC
0x
EE8
0x
EE4
0x
EE0
0x
EDC
0x
ED8
0x
ED4
0x
ED0
0x
ECC
0x
E6C
0x
E60
0x
D30
0x
994
0x
938
0x
610
0x
798
0x
878
0x
870
0x
784
0x
780
0x
754
0x
750
0x
740
0x
73C
0x
738
0x
734
0x
688
0x
730
0x
724
0x
71C
0x
70C
0x
708
0x
6F4
0x
6EC
0x
6D4
0x
6B4
0x
694
0x
680
0x
664
0x
650
0x
64C
0x
630
0x
628
0x
5F8
0x
5E4
0x
5CC
0x
5C4
0x
574
0x
558
0x
530
0x
4DC
0x
414
0x
118
0x
FC
0x
140
0x
1A0
0x
14C
0x
154
0x
130
0x
160
0x
F8
0x
3DC
0x
3D8
0x
3D0
0x
3CC
0x
3C8
0x
37C
0x
9A4
0x
594
0x
C3C
0x
C88
0x
C7C
0x
C78
0x
5C0
0x
5C8
0x
1B4
0x
350
0x
908
0x
134
0x
F0
0x
93C
0x
AD8
0x
CDC
0x
788
0x
A38
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5e10000 | 0x51e5e10000 | 0x51e5e1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| svchost.exe.mui | 0x51e5e20000 | 0x51e5e20fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e5e30000 | 0x51e5e30000 | 0x51e5e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5e50000 | 0x51e5e50000 | 0x51e5ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ed0000 | 0x51e5ed0000 | 0x51e5ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5ee0000 | 0x51e5ee0000 | 0x51e5ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5ef0000 | 0x51e5ef0000 | 0x51e5ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x51e5f00000 | 0x51e5fbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e5fc0000 | 0x51e5fc0000 | 0x51e5fc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fd0000 | 0x51e5fd0000 | 0x51e5fd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fe0000 | 0x51e5fe0000 | 0x51e5fe0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ff0000 | 0x51e5ff0000 | 0x51e5ff0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e6000000 | 0x51e6000000 | 0x51e60fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6100000 | 0x51e6100000 | 0x51e617ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6180000 | 0x51e6180000 | 0x51e6180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6190000 | 0x51e6190000 | 0x51e6190fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e61a0000 | 0x51e61a0000 | 0x51e61a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e61b0000 | 0x51e61b0000 | 0x51e61b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x51e61c0000 | 0x51e61c3fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x51e61d0000 | 0x51e61d3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e61e0000 | 0x51e61e0000 | 0x51e61e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| iphlpsvc.dll.mui | 0x51e61f0000 | 0x51e61fcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6200000 | 0x51e6200000 | 0x51e62fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6300000 | 0x51e6300000 | 0x51e6487fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6490000 | 0x51e6490000 | 0x51e6610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6620000 | 0x51e6620000 | 0x51e66dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e66e0000 | 0x51e66e0000 | 0x51e675ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6760000 | 0x51e6760000 | 0x51e67dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e67e0000 | 0x51e67e0000 | 0x51e68dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e68e0000 | 0x51e68e0000 | 0x51e69dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e69e0000 | 0x51e69e0000 | 0x51e6adffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db | 0x51e6ae0000 | 0x51e6b22fff | Memory Mapped File | Readable |
|
|
|
- |
| propsys.dll.mui | 0x51e6b30000 | 0x51e6b40fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6b50000 | 0x51e6b50000 | 0x51e6b56fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6b60000 | 0x51e6b60000 | 0x51e6b77fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6b80000 | 0x51e6b80000 | 0x51e6b86fff | Private Memory | Readable, Writable |
|
|
|
- |
| winnlsres.dll | 0x51e6b90000 | 0x51e6b94fff | Memory Mapped File | Readable |
|
|
|
- |
| usocore.dll.mui | 0x51e6bb0000 | 0x51e6bb0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e6bc0000 | 0x51e6bc0000 | 0x51e6bc1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winnlsres.dll.mui | 0x51e6bd0000 | 0x51e6bdffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e6be0000 | 0x51e6be0000 | 0x51e6be1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gpsvc.dll.mui | 0x51e6bf0000 | 0x51e6bfcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6c00000 | 0x51e6c00000 | 0x51e6cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x51e6d00000 | 0x51e7036fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7040000 | 0x51e7040000 | 0x51e713ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7140000 | 0x51e7140000 | 0x51e723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7240000 | 0x51e7240000 | 0x51e733ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7340000 | 0x51e7340000 | 0x51e743ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7440000 | 0x51e7440000 | 0x51e74bffff | Private Memory | Readable, Writable |
|
|
|
- |
| vsstrace.dll.mui | 0x51e74c0000 | 0x51e74c8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e74d0000 | 0x51e74d0000 | 0x51e74d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| activeds.dll.mui | 0x51e74e0000 | 0x51e74e1fff | Memory Mapped File | Readable |
|
|
|
- |
| mswsock.dll.mui | 0x51e74f0000 | 0x51e74f2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7500000 | 0x51e7500000 | 0x51e75fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7600000 | 0x51e7600000 | 0x51e76fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7700000 | 0x51e7700000 | 0x51e777ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7780000 | 0x51e7780000 | 0x51e787ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7880000 | 0x51e7880000 | 0x51e797ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7980000 | 0x51e7980000 | 0x51e7a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7a80000 | 0x51e7a80000 | 0x51e7afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7b00000 | 0x51e7b00000 | 0x51e7bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x51e7c00000 | 0x51e7c8afff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7c90000 | 0x51e7c90000 | 0x51e7d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7d90000 | 0x51e7d90000 | 0x51e7e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7e90000 | 0x51e7e90000 | 0x51e7f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7f90000 | 0x51e7f90000 | 0x51e800ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8010000 | 0x51e8010000 | 0x51e8010fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8020000 | 0x51e8020000 | 0x51e8022fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e8030000 | 0x51e8030000 | 0x51e8030fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8040000 | 0x51e8040000 | 0x51e8040fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| dosvc.dll.mui | 0x51e8050000 | 0x51e8050fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e8110000 | 0x51e8110000 | 0x51e820ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8290000 | 0x51e8290000 | 0x51e838ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8390000 | 0x51e8390000 | 0x51e848ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8490000 | 0x51e8490000 | 0x51e850ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8510000 | 0x51e8510000 | 0x51e860ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8630000 | 0x51e8630000 | 0x51e8636fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8700000 | 0x51e8700000 | 0x51e87fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8800000 | 0x51e8800000 | 0x51e88fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8900000 | 0x51e8900000 | 0x51e89fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8a80000 | 0x51e8a80000 | 0x51e8b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c00000 | 0x51e8c00000 | 0x51e8c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c80000 | 0x51e8c80000 | 0x51e8d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8e00000 | 0x51e8e00000 | 0x51e8e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8f00000 | 0x51e8f00000 | 0x51e8ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9000000 | 0x51e9000000 | 0x51e90fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9100000 | 0x51e9100000 | 0x51e917ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9180000 | 0x51e9180000 | 0x51e91fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9200000 | 0x51e9200000 | 0x51e92fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9300000 | 0x51e9300000 | 0x51e93fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9400000 | 0x51e9400000 | 0x51e94fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9500000 | 0x51e9500000 | 0x51e95fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9600000 | 0x51e9600000 | 0x51e96fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9700000 | 0x51e9700000 | 0x51e97fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9800000 | 0x51e9800000 | 0x51e98fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9900000 | 0x51e9900000 | 0x51e99fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9a00000 | 0x51e9a00000 | 0x51e9afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9b00000 | 0x51e9b00000 | 0x51e9bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9c00000 | 0x51e9c00000 | 0x51e9cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9d00000 | 0x51e9d00000 | 0x51e9dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9e00000 | 0x51e9e00000 | 0x51e9efffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x51e9f00000 | 0x51e9fdefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e9fe0000 | 0x51e9fe0000 | 0x51ea0dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea0e0000 | 0x51ea0e0000 | 0x51ea15ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea170000 | 0x51ea170000 | 0x51ea176fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea180000 | 0x51ea180000 | 0x51ea27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea300000 | 0x51ea300000 | 0x51ea3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea400000 | 0x51ea400000 | 0x51ea4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea700000 | 0x51ea700000 | 0x51ea7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea800000 | 0x51ea800000 | 0x51ea8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea900000 | 0x51ea900000 | 0x51ea9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eaa00000 | 0x51eaa00000 | 0x51eaafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eab00000 | 0x51eab00000 | 0x51eabfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eac00000 | 0x51eac00000 | 0x51eacfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ead00000 | 0x51ead00000 | 0x51eadfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eae00000 | 0x51eae00000 | 0x51eaefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eaf00000 | 0x51eaf00000 | 0x51eaffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb1d0000 | 0x51eb1d0000 | 0x51eb1d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb200000 | 0x51eb200000 | 0x51eb2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb300000 | 0x51eb300000 | 0x51eb3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb900000 | 0x51eb900000 | 0x51eb9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eba00000 | 0x51eba00000 | 0x51ebafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebb00000 | 0x51ebb00000 | 0x51ebbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebc00000 | 0x51ebc00000 | 0x51ebcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebd00000 | 0x51ebd00000 | 0x51ebdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebe00000 | 0x51ebe00000 | 0x51ebefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ebf00000 | 0x51ebf00000 | 0x51ebffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ec000000 | 0x51ec000000 | 0x51ec0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ec100000 | 0x51ec100000 | 0x51ec1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ec200000 | 0x51ec200000 | 0x51ec2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ec300000 | 0x51ec300000 | 0x51ec3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffdb0000 | 0x7df5ffdb0000 | 0x7ff5ffdaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7b3aa0000 | 0x7ff7b3aa0000 | 0x7ff7b3aa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aa2000 | 0x7ff7b3aa2000 | 0x7ff7b3aa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aa4000 | 0x7ff7b3aa4000 | 0x7ff7b3aa5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aa6000 | 0x7ff7b3aa6000 | 0x7ff7b3aa7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aa8000 | 0x7ff7b3aa8000 | 0x7ff7b3aa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aaa000 | 0x7ff7b3aaa000 | 0x7ff7b3aabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aac000 | 0x7ff7b3aac000 | 0x7ff7b3aadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aae000 | 0x7ff7b3aae000 | 0x7ff7b3aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab0000 | 0x7ff7b3ab0000 | 0x7ff7b3ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab2000 | 0x7ff7b3ab2000 | 0x7ff7b3ab3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab4000 | 0x7ff7b3ab4000 | 0x7ff7b3ab5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3abe000 | 0x7ff7b3abe000 | 0x7ff7b3abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac0000 | 0x7ff7b3ac0000 | 0x7ff7b3ac1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac2000 | 0x7ff7b3ac2000 | 0x7ff7b3ac3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac4000 | 0x7ff7b3ac4000 | 0x7ff7b3ac5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac8000 | 0x7ff7b3ac8000 | 0x7ff7b3ac9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aca000 | 0x7ff7b3aca000 | 0x7ff7b3acbfff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 337 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #5: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | C:\Windows\system32\sc.exe start wuauserv |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0x378 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
BEC
0x
B2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000009a4ca10000 | 0x9a4ca10000 | 0x9a4ca2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009a4ca10000 | 0x9a4ca10000 | 0x9a4ca1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009a4ca20000 | 0x9a4ca20000 | 0x9a4ca2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009a4ca30000 | 0x9a4ca30000 | 0x9a4ca43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009a4ca50000 | 0x9a4ca50000 | 0x9a4cacffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009a4cad0000 | 0x9a4cad0000 | 0x9a4cad3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000009a4cae0000 | 0x9a4cae0000 | 0x9a4cae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009a4caf0000 | 0x9a4caf0000 | 0x9a4caf1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x9a4cb00000 | 0x9a4cbbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000009a4cbc0000 | 0x9a4cbc0000 | 0x9a4cc3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009a4cc40000 | 0x9a4cc40000 | 0x9a4cc46fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009a4cc50000 | 0x9a4cc50000 | 0x9a4cc56fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x9a4cc60000 | 0x9a4cc71fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000009a4ccd0000 | 0x9a4ccd0000 | 0x9a4cdcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffb40000 | 0x7df5ffb40000 | 0x7ff5ffb3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff779c00000 | 0x7ff779c00000 | 0x7ff779cfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff779d00000 | 0x7ff779d00000 | 0x7ff779d22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff779d2b000 | 0x7ff779d2b000 | 0x7ff779d2cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff779d2d000 | 0x7ff779d2d000 | 0x7ff779d2efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff779d2f000 | 0x7ff779d2f000 | 0x7ff779d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x7ff77a430000 | 0x7ff77a445fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 425 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x7ff77a430000 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = wuauserv |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Start | service_name = wuauserv |
|
1 |
Process #8: services.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:13, Reason: Created Daemon |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:30 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e4 |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
36C
0x
358
0x
30C
0x
308
0x
260
0x
240
0x
238
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4161d0000 | 0xa4161d0000 | 0xa4161dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| services.exe.mui | 0xa4161e0000 | 0xa4161e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a4161f0000 | 0xa4161f0000 | 0xa416203fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a416290000 | 0xa416290000 | 0xa416293fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4162a0000 | 0xa4162a0000 | 0xa4162a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0xa4162b0000 | 0xa41636dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a416370000 | 0xa416370000 | 0xa416370fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a4163d0000 | 0xa4163d0000 | 0xa4163d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416400000 | 0xa416400000 | 0xa4164fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416580000 | 0xa416580000 | 0xa4165fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416600000 | 0xa416600000 | 0xa41667ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416680000 | 0xa416680000 | 0xa4166fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416750000 | 0xa416750000 | 0xa416756fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416800000 | 0xa416800000 | 0xa4168fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416900000 | 0xa416900000 | 0xa41697ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416980000 | 0xa416980000 | 0xa4169fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b00000 | 0xa416b00000 | 0xa416b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b80000 | 0xa416b80000 | 0xa416bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416c00000 | 0xa416c00000 | 0xa416cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff8b0000 | 0x7df5ff8b0000 | 0x7ff5ff8affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff64fbc4000 | 0x7ff64fbc4000 | 0x7ff64fbc5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbc6000 | 0x7ff64fbc6000 | 0x7ff64fbc7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbcc000 | 0x7ff64fbcc000 | 0x7ff64fbcdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbce000 | 0x7ff64fbce000 | 0x7ff64fbcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64fbd0000 | 0x7ff64fbd0000 | 0x7ff64fccffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff64fcd0000 | 0x7ff64fcd0000 | 0x7ff64fcf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64fcf5000 | 0x7ff64fcf5000 | 0x7ff64fcf5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf6000 | 0x7ff64fcf6000 | 0x7ff64fcf7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf8000 | 0x7ff64fcf8000 | 0x7ff64fcf9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcfa000 | 0x7ff64fcfa000 | 0x7ff64fcfbfff | Private Memory | Readable, Writable |
|
|
|
- |
| services.exe | 0x7ff650490000 | 0x7ff6504fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usermgrcli.dll | 0x7ffbfd180000 | 0x7ffbfd18ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ffbff9b0000 | 0x7ffbff9f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scesrv.dll | 0x7ffbffa00000 | 0x7ffbffa8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffbffb00000 | 0x7ffbffb25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffc00110000 | 0x7ffc0016cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc004c0000 | 0x7ffc004ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| spinf.dll | 0x7ffc00670000 | 0x7ffc0068afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ffc00690000 | 0x7ffc006a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ffc006b0000 | 0x7ffc006b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc008f0000 | 0x7ffc00902fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffc02050000 | 0x7ffc02057fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffc03980000 | 0x7ffc039e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #26: sppsvc.exe
125
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd64 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D60
0x
D50
0x
D4C
0x
D44
0x
D74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000090ddc00000 | 0x90ddc00000 | 0x90ddc1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090ddc00000 | 0x90ddc00000 | 0x90ddc06fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000090ddc10000 | 0x90ddc10000 | 0x90ddc1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000090ddc20000 | 0x90ddc20000 | 0x90ddc33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000090ddc40000 | 0x90ddc40000 | 0x90ddcbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090ddcc0000 | 0x90ddcc0000 | 0x90ddcc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe.mui | 0x90ddcd0000 | 0x90ddcd5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000090ddce0000 | 0x90ddce0000 | 0x90ddce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090ddcf0000 | 0x90ddcf0000 | 0x90ddcf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090ddd00000 | 0x90ddd00000 | 0x90dddfffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x90dde00000 | 0x90ddebdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000090ddec0000 | 0x90ddec0000 | 0x90ddf3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000090ddf40000 | 0x90ddf40000 | 0x90ddffffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000090de000000 | 0x90de000000 | 0x90de00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000090de010000 | 0x90de010000 | 0x90de197fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000090de1a0000 | 0x90de1a0000 | 0x90de320fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000090de330000 | 0x90de330000 | 0x90de33ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090de340000 | 0x90de340000 | 0x90de34ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090de350000 | 0x90de350000 | 0x90de3cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090de3d0000 | 0x90de3d0000 | 0x90de4cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000090de4d0000 | 0x90de4d0000 | 0x90de54ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x90de550000 | 0x90de886fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007df5ffe50000 | 0x7df5ffe50000 | 0x7ff5ffe4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff63a2d0000 | 0x7ff63a2d0000 | 0x7ff63a3cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff63a3d0000 | 0x7ff63a3d0000 | 0x7ff63a3f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff63a3f7000 | 0x7ff63a3f7000 | 0x7ff63a3f7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff63a3f8000 | 0x7ff63a3f8000 | 0x7ff63a3f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff63a3fa000 | 0x7ff63a3fa000 | 0x7ff63a3fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff63a3fc000 | 0x7ff63a3fc000 | 0x7ff63a3fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff63a3fe000 | 0x7ff63a3fe000 | 0x7ff63a3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe | 0x7ff63a970000 | 0x7ff63af9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| webservices.dll | 0x7ffbe8c50000 | 0x7ffbe8dcafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clipc.dll | 0x7ffbf2bc0000 | 0x7ffbf2bd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptxml.dll | 0x7ffbf2be0000 | 0x7ffbf2c01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ffbfbe40000 | 0x7ffbfbe75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc00920000 | 0x7ffc00930fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc01190000 | 0x7ffc01350fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
Registry (125)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | - |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | type = REG_BINARY |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 |
