2b277c411944cb25bf454ad5dc38d32e8eed45eac058304982c15646720990cf (SHA256)
beckky.exe
Windows Exe (x86-32)
Created at 2018-10-24 12:43:00
Notifications (2/3)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: beckky.exe
2235
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\beckky.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:10, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED8
0x
F0C
0x
F10
0x
F44
0x
128
0x
278
0x
208
0x
C60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000ebfff | Pagefile Backed Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x000e0000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00320fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0x00330000 | 0x00331fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | rw |
|
|
|
- |
| avicap32.dll.mui | 0x00350000 | 0x00352fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| beckky.exe | 0x00400000 | 0x004d7fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00540fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00550fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00570fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00590fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a57fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x01feffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ff0000 | 0x02326fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x02450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x02460fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x02470fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x02480fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x02490fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x024c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x024d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x024e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x024f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x02500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002520000 | 0x02520000 | 0x02d1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002520000 | 0x02520000 | 0x02a11fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02b20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02b30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02b40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02b50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02b60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02b70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02ba0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02bd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02bf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c00fff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74220000 | 0x74240fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x74250000 | 0x74272fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x74280000 | 0x74286fff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x74290000 | 0x742b2fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x742c0000 | 0x74580fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74590000 | 0x745b3fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x745c0000 | 0x746aafff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x746b0000 | 0x7481afff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x74820000 | 0x74827fff | Memory Mapped File | rwx |
|
|
|
- |
| avicap32.dll | 0x74830000 | 0x74843fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74850000 | 0x749affff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x749b0000 | 0x749d4fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x749e0000 | 0x74abffff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x74ac0000 | 0x74b58fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b60000 | 0x74bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe4d000 | 0x7fe4d000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 2119 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe | 845.50 KB |
MD5:
2024c021e1da73ce79f6fc96a6289eb0
SHA1: 257ec0250896eefd97a67f6120419b7fc07e1ccc SHA256: 2b277c411944cb25bf454ad5dc38d32e8eed45eac058304982c15646720990cf SSDeep: 24576:Im8Qa/0cxZs5yMmH1EQgVhA3NZNnXofn/DOhmFFt:G/0cxZssFgVhmTNXmbzd |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat | 0.11 KB |
MD5:
5ab1685ac3e369f0e071d8bce200add8
SHA1: 493e8a529a2d815564c4e30728402a4976634b5a SHA256: 20508bdc4f179c7daca31cea5ef3c226445bb81f543823e5535e280d18e5ce4f SSDeep: 3:MqDFu6OWRNfeURzTovG+gU64vHXMJATkUEzQQTovBs+n:rlRhJTVGvvHXMJ2dgtTl+n |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | 845.50 KB |
MD5:
14624a38abffbc5bc154d77b12b08545
SHA1: 407a3151dc9d1584d5221947177e453741da906a SHA256: d3fb843d103652b6ccdeeed6b89bf39dfedec35faa0452577e7a9ba8a965a08c SSDeep: 24576:Y9m8Qa/0cxZs5yMmH1EQgVhA3NZNnXofn/DOhmFFt:k/0cxZssFgVhmTNXmbzd |
|
|
Host Behavior
File (28)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Create Directory | C:\Users\CIIHMN~1\AppData\Local\Temp\D232 | - |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\D232.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\ |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\D232 |
|
1 | |
| Get Info | - | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe | type = size |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe | size = 865792, size_out = 865792 |
|
1 | |
| Write | - | size = 0 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 4096 |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | size = 861696 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat | size = 110 |
|
1 |
Registry (20)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, size = 118, type = REG_BINARY |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat | show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (190)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
16 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\beckky.exe | base_address = 0x400000 |
|
7 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
4 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77150000 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\beckky.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe, size = 260 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\beckky.exe | process_name = c:\users\ciihmnxmn6ps\desktop\beckky.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\beckky.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
6 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7716ba70 |
|
1 |
Window (20)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | gamepads | class_name = WorkflowRuntime, wndproc_parameter = 0 |
|
1 | |
| Find | - | - |
|
18 | |
| Find | - | class_name = ProgMan |
|
1 |
System (39)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 171, y_out = 502 |
|
3 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:23 (UTC) |
|
3 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:24 (UTC) |
|
15 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:28 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 141921 |
|
1 | |
| Get Time | type = Ticks, time = 147609 |
|
4 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #2: cmd.exe
144
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\beckky.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xed4 (c:\users\ciihmnxmn6ps\desktop\beckky.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A40
0x
CF8
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00a70000 | 0x00abffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x04d5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d83fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04ef3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x04f20000 | 0x04fddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0502ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0503ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0515ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0525ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005450000 | 0x05450000 | 0x0545ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x05460000 | 0x05796fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| cmdext.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ef6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ef94000 | 0x7ef94000 | 0x7ef94fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef98000 | 0x7ef98000 | 0x7ef9afff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9b000 | 0x7ef9b000 | 0x7ef9dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7ef9efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (97)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Local\Temp\D232\4099.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
13 | |
| Open | STD_OUTPUT_HANDLE | - |
|
44 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 110 |
|
1 | |
| Read | - | size = 8191, size_out = 99 |
|
1 | |
| Read | - | size = 8191, size_out = 66 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 30 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 102 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xcf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xa70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #4: cmd.exe
52
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\beckky.exe"" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf4 |
| Parent PID | 0xc54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE8
0x
CE0
0x
F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005e0000 | 0x005e0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00623fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x007c0000 | 0x0087dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| cmd.exe | 0x00a70000 | 0x00abffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x04abffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04da0000 | 0x050d6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7e850000 | 0x7ebdffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000007ebe0000 | 0x7ebe0000 | 0x7ecdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7ed02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ed03000 | 0x7ed03000 | 0x7ed03fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed09000 | 0x7ed09000 | 0x7ed0bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0c000 | 0x7ed0c000 | 0x7ed0efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ed0f000 | 0x7ed0f000 | 0x7ed0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe | os_pid = 0xcdc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xa70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x752a2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7527fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7527a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74f835c0 |
|
1 |
Environment (16)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 40010004 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #5: autoclb.exe
2203
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\beckky.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcdc |
| Parent PID | 0xcf4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CD8
0x
CC8
0x
CD4
0x
658
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000ebfff | Pagefile Backed Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x000e0000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0x002e0000 | 0x002e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | rw |
|
|
|
- |
| avicap32.dll.mui | 0x00300000 | 0x00302fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x004d7fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x01f30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f50000 | 0x01f50000 | 0x01f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01f70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x01f80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f90000 | 0x01f90000 | 0x01f90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01fc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x01fd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x01fe0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02010000 | 0x02346fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002350000 | 0x02350000 | 0x02b4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002350000 | 0x02350000 | 0x02841fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0294ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002960000 | 0x02960000 | 0x02960fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02970fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02990fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x029b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x029c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x029d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x029e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x029f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02a20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02a30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02a60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02a70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02a80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02a90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02ab0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02ad0fff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x74210000 | 0x744d0fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x744e0000 | 0x74500fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x74510000 | 0x74532fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x74540000 | 0x74546fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74550000 | 0x74573fff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x74580000 | 0x745a2fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x745b0000 | 0x7469afff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x746a0000 | 0x746a7fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x746b0000 | 0x7480ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74810000 | 0x7497afff | Memory Mapped File | rwx |
|
|
|
- |
| avicap32.dll | 0x74980000 | 0x74993fff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x749a0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x749d0000 | 0x74aaffff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x74ab0000 | 0x74b48fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b50000 | 0x74be1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| sysmain.sdb | 0x7fb20000 | 0x7feaffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 2089 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | - | - |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Write | - | size = 0 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 |
Module (183)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77290000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x76a90000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75260000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77150000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76a10000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75430000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
15 | |
| Get Handle | c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
6 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
3 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
6 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77d0e7b0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x77d0ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77d10010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x77d0e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77cf3010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x77cffcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77cfaca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77d08d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77d08f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77d09d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77d08df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77d08cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77d08e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77d08e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77d08e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77d09080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x77cdb940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x77cee040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x77d0c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77d08e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x772acd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x772a6a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x772a80d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x772acd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x772b1db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x772b26c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x772a83a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x772a7c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x772b2900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x752725e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x7527f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x752874f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75279640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x7527a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75285f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75279700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x7527d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x75279950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x752860c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x7529d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75286510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75272d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x7527e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x75279f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x752864f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x75285f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x752862a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x75286410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75272db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75286270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75277540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75277940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x752860d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x752857f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x7529d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x752861d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75286170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x75286130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x752860b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75286590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75286380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x752a0960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75286150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x752861b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75286180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x7527db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x7527a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x7527ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7527c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x7527f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x752787c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x752777b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75283a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x7527efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75286110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x752864a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x75286140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x752a2a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x75286210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7527a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75279560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75286360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x752792b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x752a0a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75278b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75277610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75278c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75272af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75271d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x7527a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x752747c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x75286530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x752863f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7717ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x771831c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x77180980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7717ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x771ccf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x76a2ed60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x76a32520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x76a2f590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x76a30ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x76a2f0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x76a30f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x76a30ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x76a2ee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x76a331a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x76a30750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x76a33150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x76a2ed40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x76a2efa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x76a2ee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76a2f000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x755c4370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x755c4cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x756a7560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x76eacd50 |
|
1 |
Window (19)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | gamepads | class_name = WorkflowRuntime, wndproc_parameter = 0 |
|
1 | |
| Find | - | - |
|
18 |
System (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 618, y_out = 170 |
|
3 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:50 (UTC) |
|
14 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:51 (UTC) |
|
4 | |
| Get Time | type = System Time, time = 2018-10-24 12:44:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 169703 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #6: autoclb.exe
1363
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:38, Reason: Autostart |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c8 |
| Parent PID | 0x85c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C0
0x
9BC
0x
9B4
0x
9B8
0x
2C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000ebfff | Pagefile Backed Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x000e0000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0x002a0000 | 0x002a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| avicap32.dll.mui | 0x00390000 | 0x00392fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | rw |
|
|
|
- |
| autoclb.exe | 0x00400000 | 0x004d7fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00c30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x0207ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x02080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x02090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x020b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x020d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020e0000 | 0x020e0000 | 0x020e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x020f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x02100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02130000 | 0x02466fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0257ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x0257ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0267ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002690000 | 0x02690000 | 0x02e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002690000 | 0x02690000 | 0x02b81fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02b90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02ba0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02bc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02bd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02bf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c10000 | 0x02c10000 | 0x02c10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02c60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02c70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02c80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02c90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02ca0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x02cb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02cd0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ce0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Private Memory | rw |
|
|
|
- |
| wow64.dll | 0x6b8a0000 | 0x6b8eefff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x6b8f0000 | 0x6b962fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x6b970000 | 0x6b977fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x738b0000 | 0x73924fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x73930000 | 0x73950fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x73960000 | 0x73982fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x73990000 | 0x73996fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x739a0000 | 0x73c60fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73c70000 | 0x73c93fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x73ca0000 | 0x73d8afff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x73d90000 | 0x73db2fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x73dc0000 | 0x73dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73dd0000 | 0x73f3afff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x73f40000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| avicap32.dll | 0x740a0000 | 0x740b3fff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x740c0000 | 0x740e4fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x740f0000 | 0x741cffff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x741d0000 | 0x74268fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74270000 | 0x74301fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74310000 | 0x743a0fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x743b0000 | 0x74408fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74410000 | 0x74419fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74420000 | 0x7443dfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74440000 | 0x7457ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74640000 | 0x74683fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x747d0000 | 0x748b9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x748c0000 | 0x748eafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x74b10000 | 0x74bfffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x74c00000 | 0x74c0bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74c10000 | 0x74dc9fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74fb0000 | 0x74fbefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x75070000 | 0x7554cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75550000 | 0x755fbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75610000 | 0x75645fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75660000 | 0x7571dfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x75720000 | 0x757acfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x757b0000 | 0x758fcfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75900000 | 0x75a75fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x75a80000 | 0x75ac3fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75ad0000 | 0x75b12fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75cf0000 | 0x770aefff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x770b0000 | 0x7712afff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77130000 | 0x771edfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x771f0000 | 0x7730ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77310000 | 0x77488fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe40000 | 0x7fe40000 | 0x7fe9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fff0cddffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7fff0cde0000 | 0x7fff0cfa1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007fff0cfa2000 | 0x7fff0cfa2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 2098 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (15)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw | - |
|
1 | |
| Get Info | - | - |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Write | - | size = 0 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0x4f4, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x2c0 |
|
1 | |
| Get Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x2c0 |
|
2 | |
| Set Context | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x2c0 |
|
1 | |
| Resume | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | os_tid = 0x2c0 |
|
2 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0xdedf0c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 233697468 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff7ee023440, protection = PAGE_EXECUTE_READWRITE, size = 233698808 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0x7ff7ee023000, protection = PAGE_EXECUTE_READ, size = 233698808 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xbc0000, size = 792 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x7ff7ee023440, size = 4 |
|
1 |
Module (229)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77310000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x74640000 |
|
1 | |
| Load | SETUPAPI.dll | base_address = 0x74960000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74b10000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74440000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x770b0000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x75cf0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x747d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74b10000 |
|
17 | |
| Get Handle | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | base_address = 0x400000 |
|
7 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77310000 |
|
20 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x770b0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x74440000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x74b2a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74b27580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74b29910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74b2f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x7736f190 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x7736a200 |
|
6 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x74b29680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x7737e7b0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x7737ee50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77380010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x7737e610 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x77363010 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlGetVersion, address_out = 0x7736fcd0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x7736aca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x77378d50 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x77378f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x77379d20 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x77378df0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x77378cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x77378e40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x77378e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x77378e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x77379080 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7734b940 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x7735e040 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = _aulldiv, address_out = 0x7737c680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x77378e10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIA, address_out = 0x7465cd10 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrW, address_out = 0x74656a00 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x746580d0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x7465cd50 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x74661db0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x746626c0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrTrimW, address_out = 0x746583a0 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x74657c40 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x74662900 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x749b19a0 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiGetClassDevsA, address_out = 0x74988d10 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiEnumDeviceInfo, address_out = 0x74975620 |
|
1 | |
| Get Address | Unknown module name | function = SetupDiDestroyDeviceInfoList, address_out = 0x74975340 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74b225e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x74b2f4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74b374f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x74b29640 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x74b2a4b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77372570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74b35f20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74b29700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x74b2d940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x74b29950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74b360c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x74b4d410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x74b36510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x74b22d80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x74b2e320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SwitchToThread, address_out = 0x74b29f30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74b364f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x74b35f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74b362a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x74b36410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74b22db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x74b36270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7734da90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x74b27540 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74b27940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x74b360d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x74b357f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x74b4d320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74b361d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x74b36170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x74b36130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x74b360b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74b36590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x74b36380 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x74b50960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x74b36150 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74b361b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74b36180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x74b2db30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x74b2a280 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x74b2ed00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74b2c1f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x74b2f7b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74b287c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x74b50da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74b277b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74b33a30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x74b2efc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74b36110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74b364a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x74b2c8c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x74b36140 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x74b52a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x74b36210 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x74b2a040 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74b29560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x74b36360 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74b292b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateRemoteThread, address_out = 0x74b50a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x74b28b70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x74b27610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x74b28c70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74b22af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74b21d90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74b2a300 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x74b247c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x74b36530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x74b363f0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7446ea00 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperA, address_out = 0x744731c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x74470980 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x7446ddf0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x744bcf50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x770ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x770d2520 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x770cf590 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x770d0ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x770fbda0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x770cf0a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x770d0f50 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x770d0ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x770cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x770d31a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x770d0750 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x770d3150 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x770ced40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x770cefa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x770cee40 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x770cf000 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x75e84370 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x75e84cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 92, address_out = 0x75f67560 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x74c7dca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x74c7cd50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74b296e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7445ba70 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x74b4b6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x7737a840 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x7737a860 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 233698776 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe380000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa80000 |
|
1 |
Window (21)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | gamepads | class_name = WorkflowRuntime, wndproc_parameter = 0 |
|
1 | |
| Find | - | - |
|
18 | |
| Find | - | class_name = ProgMan |
|
2 |
System (38)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 751, y_out = 368 |
|
2 | |
| Get Cursor | x_out = 948, y_out = 604 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
10 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-10-24 01:46:15 (UTC) |
|
18 | |
| Get Time | type = System Time, time = 2018-10-24 01:46:19 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 66375 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #7: svchost.exe
314
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:56, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f4 |
| Parent PID | 0x9c8 (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7CC
0x
610
0x
9FC
0x
A90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00bb2fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007f56b000 | 0x7f56b000 | 0x7f56bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cd30a80000 | 0xcd30a80000 | 0xcd30a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd30a80000 | 0xcd30a80000 | 0xcd30a8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0xcd30a90000 | 0xcd30a90fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000cd30aa0000 | 0xcd30aa0000 | 0xcd30ab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cd30ac0000 | 0xcd30ac0000 | 0xcd30b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd30b40000 | 0xcd30b40000 | 0xcd30b43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cd30b50000 | 0xcd30b50000 | 0xcd30b50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cd30b60000 | 0xcd30b60000 | 0xcd30b61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcd30b70000 | 0xcd30c2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd30c30000 | 0xcd30c30000 | 0xcd30caffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30cb0000 | 0xcd30cb0000 | 0xcd30cb6fff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0xcd30cc0000 | 0xcd30cf3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd30cc0000 | 0xcd30cc0000 | 0xcd30cc0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30cd0000 | 0xcd30cd0000 | 0xcd30cd0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30ce0000 | 0xcd30ce0000 | 0xcd30cecfff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0xcd30cf0000 | 0xcd30cf1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd30d00000 | 0xcd30d00000 | 0xcd30dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30e00000 | 0xcd30e00000 | 0xcd30e9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30e00000 | 0xcd30e00000 | 0xcd30e4cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30e90000 | 0xcd30e90000 | 0xcd30e9cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30ea0000 | 0xcd30ea0000 | 0xcd3109ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd30f00000 | 0xcd30f00000 | 0xcd30ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd31000000 | 0xcd31000000 | 0xcd31187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cd31190000 | 0xcd31190000 | 0xcd31310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cd31320000 | 0xcd31320000 | 0xcd3271ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cd32720000 | 0xcd32720000 | 0xcd3291ffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0xcd32720000 | 0xcd327dcfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd32800000 | 0xcd32800000 | 0xcd328fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32900000 | 0xcd32900000 | 0xcd32afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32900000 | 0xcd32900000 | 0xcd329fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32a00000 | 0xcd32a00000 | 0xcd32bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32a00000 | 0xcd32a00000 | 0xcd32afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32b00000 | 0xcd32b00000 | 0xcd32cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32b00000 | 0xcd32b00000 | 0xcd32bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32c00000 | 0xcd32c00000 | 0xcd32dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd32c00000 | 0xcd32c00000 | 0xcd32cfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xcd32d00000 | 0xcd33036fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000cd33040000 | 0xcd33040000 | 0xcd33172fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x00007df5ffa40000 | 0x7df5ffa40000 | 0x7ff5ffa3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ecf90000 | 0x7ff7ecf90000 | 0x7ff7ed08ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ed090000 | 0x7ff7ed090000 | 0x7ff7ed0b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ed0bb000 | 0x7ff7ed0bb000 | 0x7ff7ed0bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ed0bd000 | 0x7ff7ed0bd000 | 0x7ff7ed0befff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ed0bf000 | 0x7ff7ed0bf000 | 0x7ff7ed0bffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff7ee020000 | 0x7ff7ee02cfff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x7ffefa5b0000 | 0x7ffefa5dbfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x7ffefa5e0000 | 0x7ffefa602fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffefb0a0000 | 0x7ffefb149fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x7fff01950000 | 0x7fff0196bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x7fff05be0000 | 0x7fff05c08fff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x7fff05c10000 | 0x7fff05c2ffff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fff08180000 | 0x7fff081a6fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fff09430000 | 0x7fff0945bfff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7fff09810000 | 0x7fff09859fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fff09860000 | 0x7fff09872fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7fff098a0000 | 0x7fff098aefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7fff098b0000 | 0x7fff09ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fff09ee0000 | 0x7fff09f23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fff0a100000 | 0x7fff0a2dcfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7fff0a3f0000 | 0x7fff0a4a2fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fff0a4b0000 | 0x7fff0a500fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fff0a510000 | 0x7fff0a650fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fff0a660000 | 0x7fff0a695fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7fff0a6a0000 | 0x7fff0a91bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fff0a920000 | 0x7fff0aa45fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7fff0aac0000 | 0x7fff0ac0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fff0ac20000 | 0x7fff0acc5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fff0acd0000 | 0x7fff0ae2bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fff0ae30000 | 0x7fff0aeccfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7fff0b060000 | 0x7fff0b0bafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fff0b0c0000 | 0x7fff0b244fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x7fff0b260000 | 0x7fff0b267fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fff0b2d0000 | 0x7fff0c7f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7fff0ca30000 | 0x7fff0cadcfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7fff0cde0000 | 0x7fff0cfa1fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x2c0 | address = 0xa80000, size = 1257472 |
|
1 | |
| Modify Memory | #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x2c0 | address = 0xbc0000, size = 792 |
|
1 | |
| Modify Control Flow | #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x2c0 | os_tid = 0x7cc, address = 0xed0bf000 |
|
1 | |
| Modify Memory | #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe | 0x2c0 | address = 0x7ff7ee023440, size = 4 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Scr, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, size = 40, type = REG_BINARY |
|
1 |
Process (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
34 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x7fff0cde9fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x964 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x964 |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x964 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x964 |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xcd30b3ec60, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 881285393512 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x7fff0cde9fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x7fff0cde9fa0, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x7fff0cde9fa0, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x7fff0cde9fa0, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0x2e60000, size = 792 |
|
1 |
Module (227)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7fff0ac20000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fff0a4b0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7fff0aac0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7fff0b260000 |
|
1 | |
| Get Handle | c:\windows\system32\svchost.exe | base_address = 0x7ff7ee020000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7fff0ca30000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7fff0cde0000 |
|
4 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7fff0a100000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7fff0ac20000 |
|
2 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
2 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0xcd30b3fad0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7fff0ca4e960 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fff0ac3d610 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7fff0a4c4dd0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x7fff0aae2610 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7fff0ac3b9e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7fff0ac37dd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7fff0ac372e0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7fff0a4c4e70 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7fff0a4c4cc0 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7fff0a4c4e80 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7fff0ac4ec40 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x7fff0b261040 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIW, address_out = 0x7fff0a4bb260 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x7fff0aae4060 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x7fff0aad4040 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x7fff0cde9fa0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7fff0ac66dc0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7fff0ac3da40 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExA, address_out = 0x7fff0ac22680 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7fff0ac37d70 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 881285394944 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xcd33040000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9ce0000 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | - |
|
1 | |
| Get Computer Name | result_out = LHNIWSJ |
|
2 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 73796 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {CAF7338F-A104-8C55-7B9E-6580DFB269B4} |
|
1 |
Process #8: explorer.exe
885
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:58, Reason: Injection |
| Unmonitor | End Time: 00:03:09, Reason: Crashed |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x85c |
| Parent PID | 0x848 (c:\windows\system32\userinit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
4CC
0x
734
0x
8E4
0x
8B0
0x
BEC
0x
BE4
0x
BE0
0x
BDC
0x
BB0
0x
B9C
0x
B98
0x
B14
0x
B10
0x
A5C
0x
9A0
0x
99C
0x
990
0x
984
0x
974
0x
958
0x
954
0x
950
0x
94C
0x
948
0x
944
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
928
0x
924
0x
920
0x
91C
0x
914
0x
910
0x
90C
0x
900
0x
8FC
0x
8F0
0x
8D8
0x
8B8
0x
8B4
0x
8B0
0x
8AC
0x
8A8
0x
8A0
0x
89C
0x
898
0x
894
0x
890
0x
88C
0x
888
0x
884
0x
878
0x
874
0x
870
0x
86C
0x
864
0x
860
0x
964
0x
A80
0x
AD0
0x
ABC
0x
AD8
0x
AB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b66fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c31fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00dd0000 | 0x00e8dfff | Memory Mapped File | r |
|
|
|
- |
| explorer.exe.mui | 0x00e90000 | 0x00e97fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ec0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00ed0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00f00000 | 0x00f03fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x00f10000 | 0x00f22fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db | 0x00f40000 | 0x00f5bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f91fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fd9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x00fe0000 | 0x00fe1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x00ff0000 | 0x00ff4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01197fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x01320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001330000 | 0x01330000 | 0x0272ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02730000 | 0x02a66fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02c6ffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0x02c70000 | 0x02cd0fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x02ce0000 | 0x02dbefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02e3ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x02e40000 | 0x02e43fff | Memory Mapped File | r |
|
|
|
- |
| imageres.dll.mui | 0x02e50000 | 0x02e50fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002e70000 | 0x02e70000 | 0x02e72fff | Pagefile Backed Memory | r |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000037.db | 0x02e80000 | 0x02e9cfff | Memory Mapped File | r |
|
|
|
- |
| stobject.dll.mui | 0x02ea0000 | 0x02ea1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002eb0000 | 0x02eb0000 | 0x02eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ec0000 | 0x02ec0000 | 0x02f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002f40000 | 0x02f40000 | 0x02ff7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000003000000 | 0x03000000 | 0x03003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003010000 | 0x03010000 | 0x0310ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0320ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003210000 | 0x03210000 | 0x03210fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03220000 | 0x0425ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004260000 | 0x04260000 | 0x04266fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004270000 | 0x04270000 | 0x04270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004280000 | 0x04280000 | 0x04280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x04290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042a0000 | 0x042a0000 | 0x0431ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004320000 | 0x04320000 | 0x04321fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x04330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x04340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x04350fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004360000 | 0x04360000 | 0x04362fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x04370000 | 0x04373fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x04380fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004390000 | 0x04390000 | 0x04390fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000043a0000 | 0x043a0000 | 0x043a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000043b0000 | 0x043b0000 | 0x043b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000043c0000 | 0x043c0000 | 0x043f8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004400000 | 0x04400000 | 0x04402fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x04410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x044affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x0452ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004530000 | 0x04530000 | 0x04532fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x04540000 | 0x04543fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x04550000 | 0x04592fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x045a0000 | 0x045a3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x045b0000 | 0x0463afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x04640000 | 0x04650fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x046dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x0475ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x04760fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x047effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x0486ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004870000 | 0x04870000 | 0x04d61fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0507ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x050fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0517ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x051fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x0527ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x052fffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x05300000 | 0x05301fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005310000 | 0x05310000 | 0x05312fff | Pagefile Backed Memory | r |
|
|
|
- |
| thumbcache_idx.db | 0x05320000 | 0x05321fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x05330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x05340fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x05350000 | 0x05351fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005360000 | 0x05360000 | 0x05361fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x05370000 | 0x05371fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000005380000 | 0x05380000 | 0x05382fff | Pagefile Backed Memory | r |
|
|
|
- |
| inputswitch.dll.mui | 0x05390000 | 0x05391fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000053b0000 | 0x053b0000 | 0x053b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x053c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x053d3fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0x053e0000 | 0x053e1fff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll | 0x053f0000 | 0x053f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x05408fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x05410fff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0x05420000 | 0x05421fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x054affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000054b0000 | 0x054b0000 | 0x054b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000054c0000 | 0x054c0000 | 0x054c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000054d0000 | 0x054d0000 | 0x054d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000054e0000 | 0x054e0000 | 0x054e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| winnlsres.dll | 0x054f0000 | 0x054f4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x05500000 | 0x0550ffff | Memory Mapped File | r |
|
|
|
- |
| windows.storage.dll.mui | 0x05510000 | 0x05517fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x0561ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000005620000 | 0x05620000 | 0x05622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005630000 | 0x05630000 | 0x05677fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005680000 | 0x05680000 | 0x056c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000056d0000 | 0x056d0000 | 0x0574ffff | Private Memory | rw |
|
|
|
- |
| thumbcache_48.db | 0x05750000 | 0x0584ffff | Memory Mapped File | rw |
|
|
|
- |
| netmsg.dll.mui | 0x05850000 | 0x05881fff | Memory Mapped File | r |
|
|
|
- |
| iconcache_48.db | 0x05890000 | 0x0598ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000005990000 | 0x05990000 | 0x05a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a10000 | 0x05a10000 | 0x05a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a90000 | 0x05a90000 | 0x05b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b10000 | 0x05b10000 | 0x05b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b90000 | 0x05b90000 | 0x05bd8fff | Private Memory | rw |
|
|
|
- |
| iconcache_256.db | 0x05be0000 | 0x05be0fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x05bf0000 | 0x05ceffff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_48.db | 0x05cf0000 | 0x05deffff | Memory Mapped File | rw |
|
|
|
- |
| grooveintlresource.dll | 0x05df0000 | 0x06672fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000006680000 | 0x06680000 | 0x06e7ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000006e80000 | 0x06e80000 | 0x0707ffff | Private Memory | rw |
|
|
|
- |
| appdb.dat | 0x07080000 | 0x09401fff | Memory Mapped File | rw |
|
|
|
- |
| sndvolsso.dll.mui | 0x09410000 | 0x09411fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000009420000 | 0x09420000 | 0x09422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000009430000 | 0x09430000 | 0x0943dfff | Private Memory | rw |
|
|
|
- |
| pnidui.dll.mui | 0x09440000 | 0x09441fff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 333 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #7: c:\windows\system32\svchost.exe | 0x7cc | address = 0x7fff0cde9fa0 |
|
1 | |
| Modify Memory | #7: c:\windows\system32\svchost.exe | 0x7cc | address = 0x7fff0cde9fa0, size = 4 |
|
2 | |
| Modify Memory | #7: c:\windows\system32\svchost.exe | 0x7cc | address = 0x9ce0000, size = 1257472 |
|
1 | |
| Modify Memory | #7: c:\windows\system32\svchost.exe | 0x7cc | address = 0x2e60000, size = 792 |
|
1 | |
| Modify Control Flow | #7: c:\windows\system32\svchost.exe | 0x7cc | os_tid = 0x964, address = 0x0 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Registry (20)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | - |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Install, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 | value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 |
Process (590)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
590 |
Module (236)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | AVIFIL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7fff0ac20000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fff0a4b0000 |
|
1 | |
| Load | USER32.dll | base_address = 0x7fff0aac0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x7fff0b260000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7fff0a510000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7fff0ac20000 |
|
1 | |
| Get Handle | Unknown module name | base_address = 0x7ff699df0000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x7fff0ca30000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x7fff0cde0000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7fff0a100000 |
|
2 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7fff0ac20000 |
|
3 | |
| Get Filename | AVIFIL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
2 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = bsearch, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = _vsnwprintf, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = _strlwr, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = atoi, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = strstr, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = memcmp, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = __chkstk, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = VirtualQueryEx, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateRemoteThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WriteProcessMemory, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetCurrentProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GlobalAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = TerminateProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateProcessW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetComputerNameA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetVolumeInformationA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LocalReAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = LoadLibraryW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetVersionExW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetSystemInfo, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = Process32NextW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = Process32FirstW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIStreamRelease, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIStreamWrite, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIFileOpenA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIStreamSetFormat, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIFileExit, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIFileInit, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | - | function = AVIFileRelease, ordinal = 0, address_out = 0x2e3f7d0 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x7fff0ca4e960 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fff0ac3d610 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7fff0a4c4dd0 |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x7fff0aae2610 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyA, address_out = 0x7fff0ac3b9e0 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7fff0ac37dd0 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7fff0ac372e0 |
|
1 | |
| Get Address | Unknown module name | function = StrToIntExA, address_out = 0x7fff0a4c4e70 |
|
1 | |
| Get Address | Unknown module name | function = StrChrA, address_out = 0x7fff0a4c4cc0 |
|
1 | |
| Get Address | Unknown module name | function = StrTrimA, address_out = 0x7fff0a4c4e80 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7fff0ac4ec40 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x7fff0b261040 |
|
1 | |
| Get Address | Unknown module name | function = StrStrIW, address_out = 0x7fff0a4bb260 |
|
1 | |
| Get Address | Unknown module name | function = RegEnumValueW, address_out = 0x7fff0ac37220 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7fff0ac22680 |
|
1 | |
| Get Address | Unknown module name | function = RegCreateKeyA, address_out = 0x7fff0ac66dc0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7fff0ac37d70 |
|
1 | |
| Get Address | Unknown module name | function = CreateStreamOnHGlobal, address_out = 0x7fff0a6c70a0 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7fff0a4bcf30 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x7fff0aac27a0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x7fff0aae1310 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x7fff0aae4df0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x7fff0aaccae0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x7fff0ce73230 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x7fff0aad61f0 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x7fff0aadaa50 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x7fff0aad36a0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x7fff0aae61e0 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x7fff0aaf0de0 |
|
1 | |
| Get Address | Unknown module name | function = PostMessageA, address_out = 0x7fff0aae4900 |
|
1 | |
| Get Address | Unknown module name | function = OpenClipboard, address_out = 0x7fff0aaeb6c0 |
|
1 | |
| Get Address | Unknown module name | function = GetClipboardData, address_out = 0x7fff0aaeaba0 |
|
1 | |
| Get Address | Unknown module name | function = CloseClipboard, address_out = 0x7fff0aaf0920 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {1C082EE2-60D9-5464-3673-CA57D81D8CA1}, wndproc_parameter = 164919424 |
|
1 | |
| Create | - | class_name = {B020A45B-8DFE-5D45-BFE0-631449128D66}, wndproc_parameter = 164919056 |
|
1 |
System (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Clipboard | format = 1 |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
3 | |
| Get Time | type = Ticks, time = 74781 |
|
1 | |
| Get Time | type = System Time, time = 2018-10-24 01:46:31 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 76109 |
|
1 | |
| Get Time | type = Ticks, time = 76140 |
|
1 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0x9d1045c |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {1294B7E5-49A4-1461-6366-8D8847FA113C} |
|
1 | |
| Create | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} |
|
1 | |
| Create | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} |
|
1 | |
| Create | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 |
Process #9: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae8 |
| Parent PID | 0x85c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs | - |
Process #10: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 2140 -s 6596 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x85c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AC8
0x
A58
0x
AE4
0x
8BC
0x
8C4
0x
B34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000779eab0000 | 0x779eab0000 | 0x779eacffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779eab0000 | 0x779eab0000 | 0x779eabffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000779eac0000 | 0x779eac0000 | 0x779eac6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779ead0000 | 0x779ead0000 | 0x779eae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000779eaf0000 | 0x779eaf0000 | 0x779eb6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779eb70000 | 0x779eb70000 | 0x779eb73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000779eb80000 | 0x779eb80000 | 0x779eb82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000779eb90000 | 0x779eb90000 | 0x779eb91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x779eba0000 | 0x779ec5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000779ec60000 | 0x779ec60000 | 0x779ec66fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x779ec70000 | 0x779ec73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000779ec80000 | 0x779ec80000 | 0x779ec80fff | Private Memory | rw |
|
|
|
- |
| private_0x000000779ec90000 | 0x779ec90000 | 0x779ec90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779eca0000 | 0x779eca0000 | 0x779eca0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000779ecb0000 | 0x779ecb0000 | 0x779ecb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000779ecc0000 | 0x779ecc0000 | 0x779edbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000779edc0000 | 0x779edc0000 | 0x779ee3ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x779ee40000 | 0x779eea5fff | Memory Mapped File | r |
|
|
|
- |
| faultrep.dll.mui | 0x779eeb0000 | 0x779eeb1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000779eec0000 | 0x779eec0000 | 0x779eec0fff | Private Memory | rw |
|
|
|
- |
| wer.dll.mui | 0x779eed0000 | 0x779eed2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000779eee0000 | 0x779eee0000 | 0x779eeeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000779eef0000 | 0x779eef0000 | 0x779eef6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779ef00000 | 0x779ef00000 | 0x779ef01fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000779ef10000 | 0x779ef10000 | 0x779ef11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000779ef20000 | 0x779ef20000 | 0x779ef2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000779ef30000 | 0x779ef30000 | 0x779f0b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000779f0c0000 | 0x779f0c0000 | 0x779f240fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000779f250000 | 0x779f250000 | 0x77a064ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000077a0650000 | 0x77a0650000 | 0x77a0650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000077a0660000 | 0x77a0660000 | 0x77a0661fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000077a0670000 | 0x77a0670000 | 0x77a0670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000077a06d0000 | 0x77a06d0000 | 0x77a07cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a0840000 | 0x77a0840000 | 0x77a084ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x77a0850000 | 0x77a0b86fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000077a0b90000 | 0x77a0b90000 | 0x77a0c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a0c90000 | 0x77a0c90000 | 0x77a0d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a0d90000 | 0x77a0d90000 | 0x77a0f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a0f90000 | 0x77a0f90000 | 0x77a138ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a1390000 | 0x77a1390000 | 0x77a158ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x77a1590000 | 0x77a166efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000077a1670000 | 0x77a1670000 | 0x77a176ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a1770000 | 0x77a1770000 | 0x77a17effff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a17f0000 | 0x77a17f0000 | 0x77a186ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000077a1870000 | 0x77a1870000 | 0x77a18effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff010000 | 0x7df5ff010000 | 0x7ff5ff00ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff79a2a0000 | 0x7ff79a2a0000 | 0x7ff79a39ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff79a3a0000 | 0x7ff79a3a0000 | 0x7ff79a3c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff79a3c5000 | 0x7ff79a3c5000 | 0x7ff79a3c5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a3c6000 | 0x7ff79a3c6000 | 0x7ff79a3c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a3c8000 | 0x7ff79a3c8000 | 0x7ff79a3c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a3ca000 | 0x7ff79a3ca000 | 0x7ff79a3cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a3cc000 | 0x7ff79a3cc000 | 0x7ff79a3cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff79a3ce000 | 0x7ff79a3ce000 | 0x7ff79a3cffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff79aab0000 | 0x7ff79aafafff | Memory Mapped File | rwx |
|
|
|
- |
| dbgeng.dll | 0x7ffef5880000 | 0x7ffef5d5bfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffef93f0000 | 0x7ffef959ffff | Memory Mapped File | rwx |
|
|
|
- |
| dbgmodel.dll | 0x7ffef9580000 | 0x7ffef9610fff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffef95a0000 | 0x7ffef9613fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffef9620000 | 0x7ffef967dfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffefaee0000 | 0x7ffefb069fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffefb0b0000 | 0x7ffefb14dfff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffefec50000 | 0x7ffefec5dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffeffa80000 | 0x7ffeffa8bfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fff00dd0000 | 0x7fff00e0efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fff01880000 | 0x7fff01889fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7fff01890000 | 0x7fff018b4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fff027e0000 | 0x7fff02a53fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fff03380000 | 0x7fff033b5fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fff07f60000 | 0x7fff07fd7fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fff080e0000 | 0x7fff08175fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fff08180000 | 0x7fff081a6fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fff08bb0000 | 0x7fff08be1fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fff08d30000 | 0x7fff08d62fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fff08e20000 | 0x7fff08e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fff090e0000 | 0x7fff090f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fff09250000 | 0x7fff0925afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fff09430000 | 0x7fff0945bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fff09630000 | 0x7fff09657fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7fff09660000 | 0x7fff096cafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7fff09810000 | 0x7fff09859fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fff09860000 | 0x7fff09872fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7fff098a0000 | 0x7fff098aefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7fff098b0000 | 0x7fff09ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fff09ee0000 | 0x7fff09f23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fff0a100000 | 0x7fff0a2dcfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7fff0a3f0000 | 0x7fff0a4a2fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fff0a4b0000 | 0x7fff0a500fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fff0a510000 | 0x7fff0a650fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fff0a660000 | 0x7fff0a695fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7fff0a6a0000 | 0x7fff0a91bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fff0a920000 | 0x7fff0aa45fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7fff0aac0000 | 0x7fff0ac0dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fff0ac10000 | 0x7fff0ac17fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fff0ac20000 | 0x7fff0acc5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fff0acd0000 | 0x7fff0ae2bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fff0ae30000 | 0x7fff0aeccfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7fff0aef0000 | 0x7fff0af94fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7fff0afa0000 | 0x7fff0b05dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7fff0b060000 | 0x7fff0b0bafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fff0b0c0000 | 0x7fff0b244fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fff0b2d0000 | 0x7fff0c7f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7fff0ca30000 | 0x7fff0cadcfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7fff0cde0000 | 0x7fff0cfa1fff | Memory Mapped File | rwx |
|
|
|
- |
Process #11: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\explorer.exe |
| Command Line | "C:\Windows\Explorer.EXE" /LOADSAVEDWINDOWS |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:40, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:33 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0xa68 (c:\windows\system32\werfault.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
81C
0x
7C8
0x
7D8
0x
2B4
0x
A84
0x
B00
0x
144
0x
4E4
0x
6D4
0x
8D0
0x
590
0x
434
0x
8D4
0x
AF0
0x
8CC
0x
8EC
0x
8
0x
3EC
0x
730
0x
720
0x
868
0x
73C
0x
738
0x
724
0x
8A4
0x
810
0x
9C4
0x
9E0
0x
918
0x
840
0x
220
0x
2C4
0x
274
0x
224
0x
554
0x
84C
0x
850
0x
550
0x
2EC
0x
21C
0x
54C
0x
2E8
0x
57C
0x
2D8
0x
560
0x
4D4
0x
2E4
0x
BE8
0x
2E0
0x
A50
0x
AF4
0x
154
0x
B6C
0x
854
0x
19C
0x
1AC
0x
978
0x
908
0x
1EC
0x
A90
0x
268
0x
634
0x
124
0x
874
0x
888
0x
BEC
0x
AD0
0x
884
0x
894
0x
898
0x
89C
0x
448
0x
8C4
0x
924
0x
928
0x
930
0x
934
0x
938
0x
8E4
0x
8CC
0x
738
0x
8A4
0x
810
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f40000 | 0x00f40000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f56fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01003fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01021fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x01036fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x01040000 | 0x01047fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x011a0000 | 0x0125dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x012dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x012e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x012f0000 | 0x012f3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x01300000 | 0x01312fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x01320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x013affff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000037.db | 0x013b0000 | 0x013ccfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000013d0000 | 0x013d0000 | 0x013d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013e0000 | 0x013e0000 | 0x013e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x013f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001400000 | 0x01400000 | 0x01401fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0141ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x015a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000015b0000 | 0x015b0000 | 0x01730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001740000 | 0x01740000 | 0x02b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002cc0000 | 0x02cc0000 | 0x02ce9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02d00000 | 0x03036fff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll.mui | 0x03040000 | 0x030a0fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x030b0000 | 0x0318efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0320ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003210000 | 0x03210000 | 0x0328ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0330ffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x03310000 | 0x03311fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x03320000 | 0x03324fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003330000 | 0x03330000 | 0x033e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000033f0000 | 0x033f0000 | 0x033f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x034fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003500000 | 0x03500000 | 0x035fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003600000 | 0x03600000 | 0x03600fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03610000 | 0x0464ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04b41fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b56fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c40fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c52fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x04c60000 | 0x04c63fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04c90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004ca0000 | 0x04ca0000 | 0x04ca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffcb0000 | 0x7df5ffcb0000 | 0x7ff5ffcaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff699956000 | 0x7ff699956000 | 0x7ff699957fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699958000 | 0x7ff699958000 | 0x7ff699959fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69995a000 | 0x7ff69995a000 | 0x7ff69995bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69995c000 | 0x7ff69995c000 | 0x7ff69995dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69995e000 | 0x7ff69995e000 | 0x7ff69995ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff699960000 | 0x7ff699960000 | 0x7ff699a5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff699a60000 | 0x7ff699a60000 | 0x7ff699a82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff699a84000 | 0x7ff699a84000 | 0x7ff699a85fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699a86000 | 0x7ff699a86000 | 0x7ff699a87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699a88000 | 0x7ff699a88000 | 0x7ff699a89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699a8a000 | 0x7ff699a8a000 | 0x7ff699a8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699a8c000 | 0x7ff699a8c000 | 0x7ff699a8cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff699a8e000 | 0x7ff699a8e000 | 0x7ff699a8ffff | Private Memory | rw |
|
|
|
- |
| explorer.exe | 0x7ff699df0000 | 0x7ff69a23dfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ffefcaa0000 | 0x7ffefd5acfff | Memory Mapped File | rwx |
|
|
|
- |
| dataexchange.dll | 0x7ffefd5c0000 | 0x7ffefd605fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.dll | 0x7ffefd710000 | 0x7ffefd7c9fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffefe340000 | 0x7ffefe405fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffefe500000 | 0x7ffefe969fff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7fff018c0000 | 0x7fff018e6fff | Memory Mapped File | rwx |
|
|
|
- |
| explorerframe.dll | 0x7fff019c0000 | 0x7fff01e4ffff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fff027e0000 | 0x7fff02a53fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7fff02f90000 | 0x7fff03021fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7fff03030000 | 0x7fff03068fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7fff03380000 | 0x7fff033b5fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7fff03f10000 | 0x7fff03f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7fff03f30000 | 0x7fff04474fff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7fff05d30000 | 0x7fff05d98fff | Memory Mapped File | rwx |
|
|
|
- |
| settingsynccore.dll | 0x7fff05da0000 | 0x7fff05e80fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fff061b0000 | 0x7fff06332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7fff06340000 | 0x7fff063b1fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7fff06410000 | 0x7fff06540fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7fff07530000 | 0x7fff075cbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fff075d0000 | 0x7fff07872fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fff07880000 | 0x7fff078a1fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7fff07a00000 | 0x7fff07ad0fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fff07dd0000 | 0x7fff07de2fff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7fff07df0000 | 0x7fff07e55fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7fff07e60000 | 0x7fff07e84fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fff07e90000 | 0x7fff07eb5fff | Memory Mapped File | rwx |
|
|
|
- |
| sndvolsso.dll | 0x7fff07ed0000 | 0x7fff07f34fff | Memory Mapped File | rwx |
|
|
|
- |
| settingsyncpolicy.dll | 0x7fff07f40000 | 0x7fff07f50fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fff07f60000 | 0x7fff07fd7fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fff080e0000 | 0x7fff08175fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fff08180000 | 0x7fff081a6fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7fff081d0000 | 0x7fff082bdfff | Memory Mapped File | rwx |
|
|
|
- |
| hid.dll | 0x7fff08860000 | 0x7fff0886bfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7fff089b0000 | 0x7fff08a07fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fff08d30000 | 0x7fff08d62fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fff08e20000 | 0x7fff08e3efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fff090e0000 | 0x7fff090f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fff09250000 | 0x7fff0925afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fff09430000 | 0x7fff0945bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7fff09630000 | 0x7fff09657fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7fff09660000 | 0x7fff096cafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7fff09810000 | 0x7fff09859fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fff09860000 | 0x7fff09872fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fff09880000 | 0x7fff09890fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7fff098a0000 | 0x7fff098aefff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7fff098b0000 | 0x7fff09ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fff09ee0000 | 0x7fff09f23fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fff09f30000 | 0x7fff0a0f0fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fff0a100000 | 0x7fff0a2dcfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7fff0a3f0000 | 0x7fff0a4a2fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fff0a4b0000 | 0x7fff0a500fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fff0a510000 | 0x7fff0a650fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fff0a660000 | 0x7fff0a695fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7fff0a6a0000 | 0x7fff0a91bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fff0a920000 | 0x7fff0aa45fff | Memory Mapped File | rwx |
|
|
|
- |
| coml2.dll | 0x7fff0aa50000 | 0x7fff0aabefff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7fff0aac0000 | 0x7fff0ac0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fff0ac20000 | 0x7fff0acc5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fff0acd0000 | 0x7fff0ae2bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fff0ae30000 | 0x7fff0aeccfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7fff0aef0000 | 0x7fff0af94fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7fff0afa0000 | 0x7fff0b05dfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7fff0b060000 | 0x7fff0b0bafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fff0b0c0000 | 0x7fff0b244fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fff0b2d0000 | 0x7fff0c7f4fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7fff0ca30000 | 0x7fff0cadcfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7fff0cde0000 | 0x7fff0cfa1fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 334 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
